[SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Controle XMLHTTP

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Seg Fev 25 11:26:58 -03 2002 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Controle XMLHTTP
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>
Date: Fri, 22 Feb 2002 15:42:44 -0300 (EST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin
MS02-008, tratando de uma vulnerabilidade que pode ser explorada
remotamente e permitir o acesso a arquivos locais.

O Microsoft XML Core Services (MSXML) inclue controles XMLHTTP ActiveX que
permitem que paginas web, que foram renderizadas no navegador, enviem e
recebam dados XML atraves de operacoes HTML, tais como: POST, GET e PUT.

Esta vulnerabilidade pode ser explorada da seguinte maneira: se um usuario
visita a pagina do atacante, ele e' redirecionado a uma outra pagina web
com conteudo malicioso e que eventualmente pode permitir ao atacante ler
dados confidenciais do sistema de tal usuario. Valem todas as tecnicas de
engenharia social para fazer o usuario navegar nas paginas dos atacantes.

	. Esta vulnerabilidade somente pode ser explorada a partir de um
          website.

	. Nao e' possivel explorar esta vulnerabilidade atraves de email
          em formato HTML.

	. Para que seja possivel a leitura dos dados, e' preciso que o
          atacante saiba de antemao o nome e o path completo do arquivo.
          No entanto, o CAIS lembra que muitos arquivos de sistema
          encontram-se em diretorios padroes.

	. Esta vulnerabilidade nao permite que arquivos sejam adicionados,
	  alterados ou removidos.


Sistemas Afetados:

	. Microsoft XML Core Services versions 2.6, 3.0, and 4.0

        Uma versao vulneravel do XML Core Services esta' presente nos
        seguintes produtos:

		. Microsoft Windows XP
		. Microsoft Internet Explorer 6.0
		. Microsoft SQL Server 2000

Correcoes disponiveis:

	Microsoft XML Core Services
	http://www.microsoft.com/Windowsupdate


Identificador do CVE:

        CAN-2002-0057 (veja http://cve.mitre.org)


Maiores informacoes:

	http://www.microsoft.com/technet/security/bulletin/MS02-008.asp


O CAIS recomenda fortemente aos administradores de sistemas Windows que
atualizem seus sistemas em virtude da gravidade desta vulnerabilidade.



Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


- ----------------------------------------------------------------------
Title:      XMLHTTP Control Can Allow Access to Local Files
Date:       21 February 2002
Software:   Microsoft XML Core Services
Impact:     Information disclosure
Max Risk:   Critical
Bulletin:   MS02-008

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-008.asp.
- ----------------------------------------------------------------------

Issue:
======
Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX
control, which allows web pages rendering in the browser to send or
receive XML data via HTTP operations such as POST, GET, and PUT.
The control provides security measures designed to restrict web
pages so they can only use the control to request data from remote
data sources.

A flaw exists in how the XMLHTTP control applies IE security zone
settings to a redirected data stream returned in response to a
request for data from a web site. A vulnerability results because
an attacker could seek to exploit this flaw and specify a data
source that is on the user's local system. The attacker could
then use this to return information from the local system to the
attacker's web site.

An attacker would have to entice the user to a site under his
control to exploit this vulnerability. It cannot be exploited
by HTML email. In addition, the attacker would have to know the
full path and file name of any file he would attempt to read.
Finally, this vulnerability does not give an attacker any
ability to add, change or delete data.

Mitigating Factors:
====================
 - The vulnerability can only be exploited via a web site.
   It would not be possible to exploit this vulnerability
   via HTML mail.

 - The attacker would need to know the full path and file name
   of a file in order to read it.

 - The vulnerability does not provide any ability to add,
   change, or delete files.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-008.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.


*******************************************************************

You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To cancel your subscription, click on the following link mailto:1_26138_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26138_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
- ------------ Output from pgp ------------
Good signature made 2002-02-22 00:26 GMT by key:
  2048 bits, Key ID 3103F52B, Created 2000-01-22
   "Microsoft Security Response Center <secure em microsoft.com>"
WARNING: The signing key is not trusted to belong to:
Microsoft Security Response Center <secure em microsoft.com>








-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBPHaRMukli63F4U8VAQHJKAP8DF0SApZGLCEIR/JWWYTcchN/Ts3YHLCW
zXdFdNQkJamHfqcpjNcMJr+6mv0eFFNWQqGR619i22NAPkDBXq22O1PWwepoZKDS
hpTVD6EqWB/EOj+CoGhM3JxCrZFzdHkLECVbIW8vIBw88SfRZmi4xSaUbX3mJYhZ
s0NQzNLnJIo=
=UY1d
-----END PGP SIGNATURE-----



----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L