Sunday, July 22, 2007

Local File Enumeration via Browser - Res:// Protocol

Via RSnake's Blog -

Billy Rios has a nice writeup on how you can enumerate files using the Internet Explorer res:// protocol. To see the demo, click here using Internet Explorer. I’ve been toying with this for a while, and used it to detect if you were using IE7.0 by looking at the included images that the anti-phishing image uses. But this is a new take on the same old idea.

This could be used to fingerprint a drive, enumerate users on a Windows platform, or detect which exploits to perform against a target. I’ve said a few times that the res:// protocol should be depreciated in the web context (cannot be called from the web) and I think there may be some movement in that direction in the future, but it probably won’t happen for a while. I’d love to see a hotfix to get rid of this one though, it just doesn’t need to be called from the web. In fact the only thing place I have seen res:// called from the web is in virus kits that attempt to fool people into thinking the page doesn’t exist by copying the IE file not found page, which includes links to res:// images. Time to kill that feature.

---------------------------------

I tested it in both IE7 and Firefox 2.0.05 and it identified more programs when I used Firefox. Just look at the source of Billy's page if you are interested in how the detection works.

1 comment:

  1. Anonymous4:51 AM

    To be fair, using IE from work (with a trusted site domain policy in place, even if it is a weak one :-) ) yielded no results.

    ReplyDelete