** Digit-Labs Security Advisory (http://www.digit-labs.org/) ** Advisory Name: MS99-040 Exploit Release Date: 18.3.2002 Application: Tested on IE5.0 & IE 6 Platform: Tested on Windows NT/XP Severity: Medium Author(s): GoLLuM.no [mailto:gollum@digit-labs.org] Vendor Status: Known since way back in September 28, 1999 (MS99-040) Executive Summary: Microsoft posted a security bullitin on this way back in September 28, 1999, it is still exploitable though if the html file is run from the users local disk and not from a webserver or file-share. Microsoft does not tell you how it actually works, but since I am a nice person I will share it with you people... :-) Detailed Description: From Internet Explorer 5 and onwards have several implemented 'Behaviours', one of these is the So-called "Download Behaviour" which downloads a file and notifies a specified callback function when the download is complete. I does however have a security glitch that allows for download of files directly from the clients computer without his/her knowledge, these file could very well be password files or any other files that the client has access to. After the file is downloaded it can be posted to a server without the users knowledge. The danger is in someone mailing you an attached html-page that you open and then steals some files from you. Before the V5 patch this exploit would work from a Web-server too. Proof-of-concept: 1.Create a file on your hardisk called c:\passwords.pwd 2.Place the text "ginger:eqweqw234qwe213:Ginger Lynn:::" in the new file 3.Create a new html-file somewhere on you PC (not on a web-server or fileshare) and call it download.htm 4.Place the following content in the html-file you just created:
5.Create a file on a webserver to recive the stolen file called test.asp and put the following in it if using ASP: Stolen password file:
<% response.write request.form("obj") %> 6.Run the html-file to test the exploit. See also: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-040.asp