MSIE 5 and 6 FTP vulnerability

Published: 2008-03-11
Last Updated: 2008-03-12 12:46:31 UTC
by Swa Frantzen (Version: 1)
3 comment(s)

The many out there still using older versions of MSIE (such as Internet Explorer 5 or 6), might well be interested in two new vulnerabilities discovered and made public today on full disclosure.

It looks somewhat like a Cross Site Request Forgery (CSRF) attack: A malicious URL you (somehow) hit. It can be unintentional on the user's part through e.g. an injected iframe on a forum.  The URL tells the client to contact another server and does some bad things there that the user never intended, but had the authorization to do. The twist in this case is that the second hit doing damage can also be a FTP request, not just a HTTP request.

Still normally you can only log in and download (GET) files using a URL, and if the FTP server is requiring authentication, the user or the URL should enter the login/password, tipping them off something strange is going on or the attacker already knowing the credential.

That's true, till you see the duo of bugs in IE:

  • Apparently IE5 and IE6 allow other commands too, such as deleting files by constructing a URL with %-encoded line-breaks.
  • Similarly IE 5 and IE6 allow the URL to be constructed in such a manner as to try to re-authenticate with cached credentials.

IE7 is claimed not to suffer from this, so if you need a bit more incentive to (be allowed to) upgrade, this might just be it.

--
Swa Frantzen -- Gorilla Security

Keywords:
3 comment(s)

Comments

In case someone is missung the public disclosure:
http://www.rapid7.com/advisories/R7-0032.jsp

Bye,
Freu"Doesn't look like a very severe issue in IE5/6 to me though"di
I think that we need to think more outside the box. Let's combine the %-encoded line breaks with LCD and GET commands on a malicious server to attack your Windows directory, such as overwriting critical files or replacing commonly used applications with malware. Or perhaps build an AJAX-based iframe suite that allows you to completely remotely control an FTP server using someone else's credentials, a controlling computer for the AJAX script, and dynamically built sub-iframes based on that AJAX responses. The security implications of this are quite severe.
Well, even the advisory on the issue released by Rapid7 is unclear wether that issue can "only" be exploited with the "Enable folder view for FTP sites" option beeing enabled or if the option doesn't effect (the serverness of) the issue. Note that this very option isn't present in IE7 any longer but in IE5/6.

Diary Archives