IE Local Open Hack

published: February 24th, 2007

Here I present a useless vulnerability that I found while drinking my coffee one Saturday morning. It seams that Internet Explorer can be forced to open file:// resources from http:// URLs. Weirdly, this exploit works only from localhost so in theory it does not posses any risk at all. However, I am not sure if this condition is met because I am doing something wrong.

If you have time investigating the matter, please report your findings. I personally don’t have much time digging into this issue. However, if someone makes this POC work from every http:// then obviously that will be quite concerning.

When unaware user clicks on a link build as shown in the provided POC, a confirmation box opens. Although it is obvious what is going on if you are familiar with these types of exploits, it might not be the case with normal users. The impact level of this issue is close to zero. Why did I waste my time reporting this? Well, I spend 20 minutes finding the issue, which is not that much. Moreover, this issue could become quite nasty.

I have a slight suspicion that the exploit does not work on GNUCITIZEN because I am not allowing directory listing inside the folder which serves the POC. It will be very nice if someone can verify this.

» more | » comments rss | posted by pdp | syndication and integration ( )

Comments

Aviv responds:

Local resources cannot be accessed from by default the “Internet Zone”.
localhost is considered “Intranet Zone”, which by default allows referencing local resources.

These settings, of course, can be changed in the “Internet Options”.

pdp responds:

Aviv, yes u r right but still if you make a page that contains something like this:

<a href="file:///C:/">click</a>

and you host it on localhost, and then you try to click on the link, it simply wont result in what you may expect. well, at least it doesn’t work for me. This means that, although the security is relaxed on localhost, it is not to the extend we think it is.

Or maybe, the coffee didn’t help much :) this morning.

cheers

MustLive responds:

Man. This exploit works on your IE7, but doesn’t work on my IE6 Win XP SP2. As well as it doesn’t work at not IE browsers. Maybe it is some IE7 feature.

So, Pdp, you need more coffee :-)

Ivan responds:

This exploit works very good en ie/mozilla , on win xp sp2.

Respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.