Cenzic 232 Patent
Paid Advertising
web application security lab

Res:// Protocol Local File Enumeration

Billy Rios has a nice writeup on how you can enumerate files using the Internet Explorer res:// protocol. To see the demo, click here using Internet Explorer. I’ve been toying with this for a while, and used it to detect if you were using IE7.0 by looking at the included images that the anti-phishing image uses. But this is a new take on the same old idea.

This could be used to fingerprint a drive, enumerate users on a Windows platform, or detect which exploits to perform against a target. I’ve said a few times that the res:// protocol should be depreciated in the web context (cannot be called from the web) and I think there may be some movement in that direction in the future, but it probably won’t happen for a while. I’d love to see a hotfix to get rid of this one though, it just doesn’t need to be called from the web. In fact the only thing place I have seen res:// called from the web is in virus kits that attempt to fool people into thinking the page doesn’t exist by copying the IE file not found page, which includes links to res:// images. Time to kill that feature.

18 Responses to “Res:// Protocol Local File Enumeration”

  1. ilia Says:

    nice trick. it seems that safari is being detected as ie7 though

  2. Davide Denicolo Says:

    In my situation, using Firefox 2.0.0.5 local file enumeration works very pretty instead with my IE 6 v. 6.0.2800.1106 javascript isn’t be able to do it. So this “problem” could be both of IE and Firefox ;)

  3. anathema Says:

    Also working on firefox for me, It detected a few of the programs I have installed.

    Firefox 2.0.0.5

  4. anathema Says:

    OK my bad - I just have almost all of those programs installed lol,
    Firefox lists the whole lot. IE will lost the actual enumeration

  5. BK Says:

    @Rsnake - Agreed, the Res:// protocol should be depreciated as I’ve rarely seen it used by legitimate software (I saw a legitimate use once… but its definitely the exception).

    A recent vulnerability I reported to Microsoft involved the res:// protocol (MS07-035), but is was more severe and damaging then software enumeration… The problem with protocols like res:// (et al.) is they offer a bridge from the “remote world” to the “local world”. They should be used with caution and with the full understanding that once the protocol is registered, the attack surface for the associated application has just increased exponentially… To make matters worse, most users don’t even realize that many applications have already registered URI handlers for their custom protocols. You can see which URI handlers are installed on your system by using the Dump URI Handlers (DUH) tool be Erik Cabetas. http://erik.cabetas.com/?p=stuff

    Link to MS07-035 - http://www.microsoft.com/technet/security/Bulletin/MS07-035.mspx

    BK

  6. beford Says:

    It seems like Safari for windows allows inclusion of file:// uris from http:, weak.

  7. Brandon Paddock Says:

    Works with Firefox 2 but not with IE 7 on my machine. This is probably true of all Vista machines where IE is running in Protected Mode.

  8. hackathology Says:

    Damn, its accurate. It found most of the software installed in my PC, however, there is no exact versions of it.

  9. Ronald van den Heetkamp Says:

    @Davide

    No

    MSIE6

  10. Ronald van den Heetkamp Says:

    MSIE6

  11. Ronald van den Heetkamp Says:

    is vulnerable tough in a different way, I have several articles and snippets written about them. Also a newly found one which can determine the creation and modification date of the installed app. ;)

  12. Ronald van den Heetkamp Says:

    sorry less and greater sings are seen as SPAM, weird stuff that wordpress… :S

  13. Mohclips Says:

    C:\\WINNT\\$NtUninstallKB820291$\\explorer.exe/#2/#143

    Check the clients patch levels

    ;)

    Moh.

  14. GK Says:

    Is there any legitimate way to verify that appropriate software has been loaded to a machine?

    I’d like to make it easy for folks to simply click on a page to see whether or not they have the right version of our testing software, flash, and java installed or give instructions and point them towards upgraded versions.

  15. Mohclips Says:

    possibly image.fileSize will give you some sort of fingerprint capability to determine versioning as long as you pick an image that has changed some how visually. yet to test. - anyone tried this?

  16. Ronald van den Heetkamp Says:

    @GK

    Yes there is, some ActiveX. but also legit MSIE Clientcaps can determine installed software, but it is very limited.

    Here is a forum topic I just started for about it:
    http://sla.ckers.org/forum/read.php?2,14075

  17. sumcolor Says:

    Use ‘autoruns’ from sysinternals#microsoft and deactivate
    ‘res’ ?

  18. ascii Says:

    I wrote a little howto to completely disable external protocols handlers and whitelist only few protocols that are handled internally by Firefox:

    http://www.ush.it/2007/07/25/clientside-security-hardening-mozilla-firefox/

    Feel free to point me missing preferences/settings to enhance FF security ;)