Overwrite people's files through IE3 with malicious forms

Summary

Description:	MS Internet Exploder 3 will overwrite local files if the remote form asks it to.
Author:	Andrew McNaughton <andrew@SQUIZ.CO.NZ>
Compromise:	Malicious web page can overwrite files belonging to visitors who use M$ IE3
Vulnerable Systems:	Microsoft Explorer version 3.0 PPC running on a mac, probably other IE3 versions.
Date:	29 August 1997

Details

Date: Fri, 29 Aug 1997 10:54:43 +1200
From: Andrew McNaughton <andrew@SQUIZ.CO.NZ>
To: BUGTRAQ@NETSPACE.ORG
Subject: Mac MSIE 3.0 file overwrite.

I imagine this is probably already known?  If so, could someone point me to
where I should have looked to check this.

Microsoft Explorer version 3.0 PPC running on a mac is quite happy to write
form output data to a local file, possibly overwriting existing data.

At first I thought this ability to write form output to a local file
(discovered through relative addressing and a local copy of a form) was
kind of useful.  Then I overwrote my own form with <FORM ACTION = "">,
entered when I just wanted to see the appearance of the form.  Then I found
that absolute addressing is possible using file:// and this can be abused
through a remote form.

A Maliciously written Form might include the following:

<FORM ACTION="file:///Hard_Disk/Desktop%20Folder/Untitled.html" METHOD="POST">
<INPUT NAME="This could have overwritten anything!" TYPE=Hidden>
<Input Type=Submit>
</FORM>

The file Hard_Disk:Desktop Folder:Untitled.html gets written or
overwritten, and recieves the following contents:

This+could+have+overwritten+anything%21=

The potential for writing particular data to the file is limited by the URL
encoding of the Form Output, and such attacks are for the most part going
to be impossible.  Damage to what is already on the machine is more likely.

If however there is a convenient text encoded compression format that is
recognised by stuffit expander, then it might be possible to get things
excecuted by storing them in suitableform in the startup items folder.

Is this Mac Specific?  Has it been fixed?

Andrew McNaughton

.   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .
Andrew McNaughton         |       I tried to make it idiot proof,
Andrew@squiz.co.nz        |       but they just developed a
http://www.squiz.co.nz    |       better idiot
http://www.newsroom.co.nz
.   .   .   .   .   .   .   .   .   .   .   .   .   .   .   .

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: