File Stealing in Internet Explorer 6 - Final Part

January 19th, 2008

This is the sixth and final part of a multi-part discussion of Internet Explorer 6 file stealing vulnerabilities. The previous posts start by examining the base vulnerability (ability to selectively redirect keypress events) and built upon that vulnerability to construct an effective file stealing attack. The prior posts: part one, part two, part three, part four, and part five.

The final demonstration makes several cosmetic improvements. First, the file to steal is no longer hard-coded to "C:\boot.ini". Instead, it can be edited and set to a desired value (e.g., "C:\windows\repair\sam"). Prior demonstrations never supported actually submitting the file. The ability to automatically upload files was added and can be activated by unchecking "Standalone Demo?".

Most importantly the file input element is placed in its own div and styled with CSS to be absolutely positioned at negative coordinates so that it is not visible on the screen: 

  position: absolute;
  left: -1000px;
  top: -100px;

The use of "display: none;" is not possible. If the file input element is not displayed, the following error is generated when attempting to set the focus on the element: Can't move focus to the control because it is invisible, not enabled or of a type that does not accept the focus.

In order to convey what characters have been captured, the file input element contents are displayed inside the green box at the bottom of the textarea.

A second form is added to the page and the file input element is placed inside of it: 

<form id="form2" method="post" 
target="file_target"
enctype="multipart/form-data" 
action="upload.cgi">

The form is defined to have a target of file_target which has been added as an iframe: 

<iframe name="file_target" height="350" width="700"></iframe>

By using an iframe and separate form, the attack could be constructed so that there is no visual indication that a file has been uploaded. For demonstration purposes, the results of the file upload are shown. It should be noted though that the original form input values are unaffected by the file submission and functionality is not otherwise impacted.

This concludes the discussion of Internet Explorer 6 file stealing vulnerabilities. Future posts will examine Internet Explorer 7 and how these vulnerabilities affect it. Lessons learned from IE6 will be applied to help construct possible attacks.

Posted by gfleischer on 2008/01/19 at 19:36 in Vulnerabilities
Home
Subscribe
RSS 2.0
Quick Links
Content
Info
Categories
Archives
Sitemap
Valid XHTML 1.0 Transitional Valid CSS!