Friday, July 20th, 2007
The resource (res://) protocol is built into Internet Explorer 4.0 and later. Typically, the resource protocol is used to pull resources like images, html, xsl… etc from DLLs and executables. You’ve probably seen the resource protocol in use and didn’t even realize it (take a look at the properties for the images on a typical IE error page). The resource URI (like other URIs) has access to software on YOUR local file system. So, it’s possible to call the resource URI from a remote web page, use the resource URI to check for the presence of certain executables and DLLs, then report back to a remote server whether that file exists or not. So in essence, an attacker can use the resource URI to:
- Enumerate the software on your machine
- In many cases, determine the exact version of software enumerated
- Use the enumerated software list to target specific exploits and attacks
The software doesn’t have to be “installed” for this to work… simply having the executable on your system can also allow for enumeration. I’ve posted a proof of concept HERE. The PoC should work for pretty much all versions of IE (including IE7). If you want more information about using the resource URI, check out our paper – URI Use and Abuse.
Now, before Firefox users start snickering, Firefox had a similar issue which was fixed recently. Their issue involved the “resource:” URI supported by Firefox browsers. Besides… FireFox has other URI handling vulnerabilities they should be worried about….