web application security scanner survey
Paid Advertising
web application security lab
« Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest
Res Timing Attack »

Res:// Protocol Local File Enumeration

Billy Rios has a nice writeup on how you can enumerate files using the Internet Explorer res:// protocol. To see the demo, click here using Internet Explorer. I’ve been toying with this for a while, and used it to detect if you were using IE7.0 by looking at the included images that the anti-phishing image uses. But this is a new take on the same old idea.

This could be used to fingerprint a drive, enumerate users on a Windows platform, or detect which exploits to perform against a target. I’ve said a few times that the res:// protocol should be depreciated in the web context (cannot be called from the web) and I think there may be some movement in that direction in the future, but it probably won’t happen for a while. I’d love to see a hotfix to get rid of this one though, it just doesn’t need to be called from the web. In fact the only thing place I have seen res:// called from the web is in virus kits that attempt to fool people into thinking the page doesn’t exist by copying the IE file not found page, which includes links to res:// images. Time to kill that feature.

This entry was posted on Saturday, July 21st, 2007 at 9:15 am and is filed under Webappsec. You can leave a response as well.

18 Responses to “Res:// Protocol Local File Enumeration”

  1. ilia Says:
    July 21st, 2007 at 9:32 am

    nice trick. it seems that safari is being detected as ie7 though

  2. Davide Denicolo Says:
    July 21st, 2007 at 11:00 am

    In my situation, using Firefox 2.0.0.5 local file enumeration works very pretty instead with my IE 6 v. 6.0.2800.1106 javascript isn’t be able to do it. So this “problem” could be both of IE and Firefox ;)

  3. anathema Says:
    July 21st, 2007 at 1:25 pm

    Also working on firefox for me, It detected a few of the programs I have installed.

    Firefox 2.0.0.5

  4. anathema Says:
    July 21st, 2007 at 1:37 pm

    OK my bad - I just have almost all of those programs installed lol,
    Firefox lists the whole lot. IE will lost the actual enumeration

  5. BK Says:
    July 21st, 2007 at 1:38 pm

    @Rsnake - Agreed, the Res:// protocol should be depreciated as I’ve rarely seen it used by legitimate software (I saw a legitimate use once… but its definitely the exception).

    A recent vulnerability I reported to Microsoft involved the res:// protocol (MS07-035), but is was more severe and damaging then software enumeration… The problem with protocols like res:// (et al.) is they offer a bridge from the “remote world” to the “local world”. They should be used with caution and with the full understanding that once the protocol is registered, the attack surface for the associated application has just increased exponentially… To make matters worse, most users don’t even realize that many applications have already registered URI handlers for their custom protocols. You can see which URI handlers are installed on your system by using the Dump URI Handlers (DUH) tool be Erik Cabetas. http://erik.cabetas.com/?p=stuff

    Link to MS07-035 - http://www.microsoft.com/technet/security/Bulletin/MS07-035.mspx

    BK

  6. beford Says:
    July 21st, 2007 at 3:17 pm

    It seems like Safari for windows allows inclusion of file:// uris from http:, weak.

  7. Brandon Paddock Says:
    July 21st, 2007 at 8:28 pm

    Works with Firefox 2 but not with IE 7 on my machine. This is probably true of all Vista machines where IE is running in Protected Mode.

  8. hackathology Says:
    July 21st, 2007 at 10:46 pm

    Damn, its accurate. It found most of the software installed in my PC, however, there is no exact versions of it.

  9. Ronald van den Heetkamp Says:
    July 22nd, 2007 at 3:38 pm

    @Davide

    No

    MSIE6

  10. Ronald van den Heetkamp Says:
    July 22nd, 2007 at 3:38 pm

    MSIE6

  11. Ronald van den Heetkamp Says:
    July 22nd, 2007 at 3:38 pm

    is vulnerable tough in a different way, I have several articles and snippets written about them. Also a newly found one which can determine the creation and modification date of the installed app. ;)

  12. Ronald van den Heetkamp Says:
    July 22nd, 2007 at 3:39 pm

    sorry less and greater sings are seen as SPAM, weird stuff that wordpress… :S

  13. Mohclips Says:
    July 23rd, 2007 at 5:45 am

    C:\\WINNT\\$NtUninstallKB820291$\\explorer.exe/#2/#143

    Check the clients patch levels

    ;)

    Moh.

  14. GK Says:
    July 23rd, 2007 at 6:25 am

    Is there any legitimate way to verify that appropriate software has been loaded to a machine?

    I’d like to make it easy for folks to simply click on a page to see whether or not they have the right version of our testing software, flash, and java installed or give instructions and point them towards upgraded versions.

  15. Mohclips Says:
    July 23rd, 2007 at 10:00 am

    possibly image.fileSize will give you some sort of fingerprint capability to determine versioning as long as you pick an image that has changed some how visually. yet to test. - anyone tried this?

  16. Ronald van den Heetkamp Says:
    July 24th, 2007 at 3:36 am

    @GK

    Yes there is, some ActiveX. but also legit MSIE Clientcaps can determine installed software, but it is very limited.

    Here is a forum topic I just started for about it:
    http://sla.ckers.org/forum/read.php?2,14075

  17. sumcolor Says:
    July 24th, 2007 at 5:27 pm

    Use ‘autoruns’ from sysinternals#microsoft and deactivate
    ‘res’ ?

  18. ascii Says:
    July 25th, 2007 at 3:57 pm

    I wrote a little howto to completely disable external protocols handlers and whitelist only few protocols that are handled internally by Firefox:

    http://www.ush.it/2007/07/25/clientside-security-hardening-mozilla-firefox/

    Feel free to point me missing preferences/settings to enhance FF security ;)

Respond here or Discuss On the Forums