File Stealing in Internet Explorer 6 - Part 4
This is part four in a multi-part discussion of Internet Explorer 6 file stealing vulnerabilities. The first part presents background information. The second part discusses targeting the "C:\boot.ini" file, and the third part improves the capture mechanism by intelligently positioning the cursor in the file element.
Part four starts with the simple observation that the backslash character ('\') appears very rarely in typed text on the Internet. Unless, of course, your primary form of communication is emoticons ( \m/ - ROCK! ), or you enter a lot of control characters (e.g., "\r\n\t\v\b").
Fortunately, as the fourth demonstration shows, Internet Explorer treats the forward slash ('/') as a completely interchangeable character. Just as the backslash is often used to bypass file filter checks against IIS on Windows, the forward slash can be used in place of the backslash.
The code is modified to use both separators:
var sep_code = String("\\").charCodeAt(0);
var alt_sep_code = String("/").charCodeAt(0);When deciding on the files to capture:
wanted = wanted.toLowerCase();
alt_wanted = wanted.replace(/\\/g, "/");
And searching for characters to capture:
if ((!matched[i]) && (
(target[i] == current) ||
((target[i] == sep_code) && (alt_sep_code == current))
)) {In this way, the attack doubles its chances of matching a backslash by allowing either a '\' or a '/'.
So, quick as you can type, "I <3 http://blogs.msdn.com/ie/", your "C:\boot.ini" file could have been stolen.