** Digit-Labs Security Advisory (http://www.digit-labs.org/) **
Advisory Name: MS99-040 Exploit
Release Date: 18.3.2002
Application: Tested on IE5.0 & IE 6
Platform: Tested on Windows NT/XP
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Known since way back in September 28, 1999 (MS99-040)
Executive Summary:
Microsoft posted a security bullitin on this way back in September 28,
1999, it is still exploitable though if the html file is run from the
users local disk and not from a webserver or file-share.
Microsoft does not tell you how it actually works, but
since I am a nice person I will share it with you people... :-)
Detailed Description:
From Internet Explorer 5 and onwards have several implemented
'Behaviours', one of these is the So-called "Download Behaviour" which
downloads a file and notifies a specified callback function when the
download is complete. I does however have a security glitch that allows
for download of files directly from the clients computer without
his/her knowledge, these file could very well be password files or any
other files that the client has access to. After the file is downloaded
it can be posted to a server without the users knowledge. The danger is
in someone mailing you an attached html-page that you open and then
steals some files from you. Before the V5 patch this exploit would work
from a Web-server too.
Proof-of-concept:
1.Create a file on your hardisk called c:\passwords.pwd
2.Place the text "ginger:eqweqw234qwe213:Ginger Lynn:::" in the new
file
3.Create a new html-file somewhere on you PC (not on a web-server or
fileshare) and call it download.htm
4.Place the following content in the html-file you just created: