MS IE URI Redirection Information Disclosure (Feb 4, 2010)

By

Windows Internet Explorer (formerly Microsoft Internet Explorer) is one of the most widely used web browsers. The browser is capable of processing HTML, images, scripting languages, and various other popular Internet specifications.

URI schemes are one of the specifications that are supported by Internet Explorer. IE uses the URI schemes to access resources on the specified paths. These URI schemes include http://, ftp://, mailto:, file://, and so on. For example, the following scheme can be referred in any webpage.

http:////

The file:// URI scheme is typically used to retrieve files from one’s own computer. This scheme, unlike many other URL schemes, does not designate a resource that is universally accessible over the Internet. It has the following format:

file:///

Where could be the following hierarchical directory:

/C$/my/directory/file.txt

Besides the specifications, Internet Explorer has embedded numerous security policies which are meant to prevent malicious actions from being attempted by rendered resources. One of the enforced policies found in popular browsers is the inability of cross site scripting (XSS). This is enforced specifically to prevent one site from accessing potentially sensitive information from other started sessions which may contain, among other things, authentication information. Furthermore, Internet Explorer groups websites into security zones with different access privileges. For instance, the Intranet zone websites have higher privileges than the Internet zone ones by default.

There is a security bypass vulnerability found in Microsoft Internet Explorer that could result in information disclosure as well as rendering of arbitrary files on the system as HTML content. Specifically, the vulnerability is due to improper processing of the file:// URI scheme during the web page redirection process. The vulnerable code does not properly validate the security zone before accessing the local files on the target client. If an attacker can predict the correct filename and path, it is possible for the attacker to access arbitrary files via a crafted web page.

SonicWALL UTM team has researched this vulnerability and released an IPS signature to detect and block generic attack attempts targeting this vulnerability. The following IPS signature has been released:

  • 3104 MS IE URI Redirection Security Bypass Attempt

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0255.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.