From: Berend-Jan Wever [SkyLined@edup.tudelft.nl]
Sent: Friday, April 19, 2002 12:27 PM
To: vulnwatch
Subject: [VulnWatch] Fw: Local file detecting and installed software
fingerprinting

Advisory

Local file detecting and installed software fingerprinting


Local file detecting

It is possible to detect local files when a user views a webpage. This can be done in a lot of different ways depending on the file type you want to detect: Images like gif-, jpg- and bmp-files can be detected by opening them in the page and testing whether the image-object's "complete" property is true: if so the file does exist, if not it doesn't. Text files like txt-, htm- and html-files can be detected by opening them in an IFRAME and waiting for the "onLoad"-event to fire, if it fires the file exists. Another way to detect them is to load them as a cascading style sheets. (A bug in IE allows us even to read it's content!) A recently discovered bug in IE allows us to detect ANY type of file using the "dynsrc"- and "sizeOf"-propertie of images. Allthough the IMG.dynsrc and cascading stylesheet problems are probably gonna be fixed soon, the image and IFRAME way to detect files are not concidered probems but features. 


Installed software fingerprinting

If we are allowed to detect whether local files exist, we can start fingerprinting the installed software. All we need to know is where the software installs detectable files. The WINDOWS operating system for instance, installs by default in "\WINDOWS\" or "\WINNT\", these directories contain files like, "desktop.ini", "folder.htt" and a lot of background image examples. If we want to detect whether windows is installed in the default directory, we can scan for some default installed image using the following code:
<IMG src="C:\WINDOWS\SETUP.BMP"      onLoad="alert('detected in' + this.src);">
<IMG src="C:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' + this.src);">
<IMG src="D:\WINDOWS\SETUP.BMP"      onLoad="alert('detected in' + this.src);">
<IMG src="D:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' + this.src);">
<IMG src="E:\WINDOWS\SETUP.BMP"      onLoad="alert('detected in' + this.src);">
<IMG src="E:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' + this.src);">
...etc...
<IMG src="Z:\WINDOWS\SETUP.BMP"      onLoad="alert('detected in' + this.src);">
<IMG src="Z:\WINNT\Blue Lace 16.bmp" onLoad="alert('detected in' + this.src);">
Using more javascript we can make these kind scans fully automatic and let them report the findings to the server. 

Impact


This thing is BIG. Any company can see the advantage of knowning what kind of software the visitors of their website are using... 

Affected software


Allthough this advisory mainly focusses on windows based systems and this was tested only on IE 6.0. The same problem will probably exist in all browsers and can probably also be exploited on *NIX based system.

More information

My homepage: http://spoor12.edup.tudelft.nl/skylined