############################################ Internet explorer 7 & 8 url validation vulnerability Original Advisore: http://lostmon.blogspot.com/ 2010/02/internet-explorer-7-8-url-validation.html Vendor URl: http://www.microsoft.com related adv:http://lostmon.blogspot.com/ 2010/02/internet-explorer-6-7-8-url-validation.html related bulletin: MS10-002 and ms10-007 Related CVE 2010-0027 Related OSVDB ID: 62245 and 62245 Related Secunia: SA38501 and SA38209 Related BID: 37884 ############################################ ############ Description ############ A remote code execution vulnerability exists in the way that Internet Explorer incorrectly validates input. An attacker could exploit the vulnerability by constructing a specially crafted URL. When a user clicks the URL, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, ################# Versions afected ################# I have tested in Internet Explorer 7 & 8 in this versions of windows All versions of Windows 7 Windows xp home Windows xs pro So you can look the explotability index >From Relared Microsoft bulletin to get a complete List of products affected. ############# Timeline ############# discovered 05-11-2009 Reported to vendor 15-11-2009 Vendor response:15-11-2009 vendor accepts in case manager 19-11-2009 vendor patch 21-01-2010 Vendor Patch2:09-02-2010 Public Disclosure: 21-01-2010 Details Disclosure:10-02-2010 ############## Solution ############## See http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx and http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx for more details and for download vendor's patch ####################### Sample code and PoC´s ####################### This Vulnerability is bassed in the way that Internet explorer validate Uri handlers and the special chart '#' for testing and undestanding first open internet explorer and write in teh address bar a fake handler like `handler:' it cause that IE shows 'res://ieframe.dll/unknownprotocol.htm' internal page , because the protocol is unknow. if we do => handler:http://[some-host]' Ie wait to open the host, but don´t show any error or unknow protocol error page. If we Write at the adrress bar 'handler:handler2:' IE shows again 'res://ieframe.dll/unknownprotocol.htm' page. But if we concatenate two unknow protocol handlers and use the special char '#' like 'handler:handler#:' internet explorer shows a alert warning with 'internet explorer can´t find file:///' With this convination IE use file: protocol handler. With this alert we can think... if we concatenate two handlers and # char and a file path we can access to files on the hard disk. "handler:handler#:c:\windows\calc.exe' But we get again 'internet explorer can´t find the file' Them we look for trasversal file access like handler:handler#:../../../../C:\windows/calc.exe’ Them Ie promp us to download or execute the file. we have bypass the restrictions!!! so we are working in the address bar Can a web page use this issue to make the same and ask for download it ? YES we can construct a web page with a iframe like: ############# PoC one ################# ############### EOF ########### if we look it executes Explorer with a local search :D can we read the content of any file and upload it to a server or manage the content ?? i don´t have found a way to do it all times internet explorer denies the access to the content from iframe. ############# PoC four ############## Get the content ##################### EOF ############################# it give a access deniet error if we look to use XMLHttpRequest() it does not work again and access is denied: ########### PoC Five ###################### var contents; var req; req = new XMLHttpRequest(); req.onreadystatechange = processReqChange; req.open(’GET’, ‘handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms’, true); req.send(”); ############ EOF ############# if we use it as a activex it shows again a access denied :P ############### PoC six #############
################ EOF ###################### Them we can think that we can read txt files , execute html,xml search-ms files , and download and execute Binaries files from the victims hard disk , only with view a crafted web page. Microsoft has pached it and has release a secutiry bulletin that solve this issue see http://www.microsoft.com/technet/security/Bulletin/ms10-002.mspx and http://www.microsoft.com/technet/security/Bulletin/ms10-007.mspx for details and for download the security update that solve this issue and seven vulnerabilities more. #################### €nd ################ Thnx to Google security Team for his support Thnx to MSRC for his support and acknowledgments Thnx To icar0 & sha0 from Badchecksum Thnx To Brink For test with me in some windows :D Thns to estrella to be my ligth -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....