exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ie.css.txt

ie.css.txt
Posted May 20, 2002
Authored by Thor Larholm | Site jscript.dk

IE 6sp1 for Windows 2000 and 98 has bugs in the showModalDialog and showModelessDialog methods of displaying dialog boxes which can be used to execute arbitrary commands. Most unpatched IE and Outook installations are vulnerable. Online demonstration exploit MS02-023, but IE 5.5 and 5.0 are still vulnerable.

tags | exploit, arbitrary
systems | windows
SHA-256 | adc13976e792486d71a781d3724cb4456937c63b31fb36bdbe418a967f248f48

ie.css.txt

Change Mirror Download

Thor Larholm security advisory TL#002

Topic: IE allows universal Cross Site Scripting.

Discovery date: 18 March 2002.

Affected applications:

Any application that hosts the WebBrowser control (IE6+). Some of these
are:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express

Severity: High

Impact:
Elevating privileges, hijacking the MSN Messenger client, running script
in the My Computer zone, arbitrary command execution, etc.

Introduction:
Among its extensive functionality, IE employs a set of useful methods to
display dialog windows. These, the showModalDialog and
showModelessDialog methods, can transfer objects from the originating
page to the page being displayed inside the dialog, by use of the
dialogArguments property.

Discussion:
The dialogArguments property tries to prevent interaction between remote
pages by comparing the location of the originating page and the dialog
page.
When opening a dialog window (e.g. res://shdoclc.dll/policyerror.htm)
from another protocol, port or domain (e.g. http://jscript.dk), the
validation code in IE will ensure that no objects are transferred, and
no interaction is as such possible.
When both pages are on the same protocol, port and domain, the
validation code will allow interaction.
Unfortunately, the validation code only checks the original URL instead
of the final URL, and it is as such possible to bounce a HTTP redirect
from the originating site to the desired dialog page that will allow
interaction.

It is worth noting that this is not in any way limited to the RES://
protocol. The flawed dialogArguments property also allows interaction
between different domains (e.g. YAHOO.COM to MICROSOFT.COM), different
protocols (HTTP to HTTPS, HTTP to FILE, etc.) and different ports (port
80 to port 21, port 80 to port 25, etc.)

For the sake of demonstration, we take a look at shdoclc.dll which
contains several resource in the HTML category, labeled POLICYERROR.HTM,
POLICYLOOKING.HTM, POLICYNONE.HTM and POLICYSYNTAXERROR.HTM. These files
contain the following script code:
var site = window.parent.dialogArguments.url;

function printSite()
{
document.write( site);
}

Exploit:
<script>
var sCode = '<'+'script>alert("This is running from: " + location.href);top.close
()</'+'script>';
window.showModalDialog("redirect.asp", {url:sCode})
</script>

Redirect.asp contains:
<%@Language=Jscript%><%
Response.Redirect("res://shdoclc.dll/policyerror.htm");
%>

Solution: (for MS)
Fix the faulty validation routine in dialogArguments.
Include input validation in resource files.
Also, fixing the incomplete MS02-015 patch will ensure that this
specific command execution vulnerability will not reoccur when the next
CSS issue is uncovered.

Solution: (for users)
Disable scripting.

Tested on:
IE6sp1 Win2000 SP2, with all patches.
IE6sp1 Windows 98, with all patches.
IE6sp1 Windows 98 SE, with all patches.

Demonstration:
I have put together some proof-of-concept examples:
* Simple static examples - Demonstratory fixed code
* Advanced example - Input arbitrary script code
* Hijacking MSN Messenger - An updated version of a previous bulletin
* Executing arbitrary commands - How CodeBase was not fixed

Vendor status:
Microsoft was notified 18 March 2002 and were able to reproduce the
issue consistently.
They are currently (16 April 2002) investigating whether to address this
in an upcoming cumulative patch.

Feedback:

Please mail any questions or comments to

contact (at) jscript (dot) dk

Links:

CAN-2002-0189:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0189
Cross Site Scripting:
- http://www.cert.org/advisories/CA-2000-02.html
Incomplete MS02-015 patch: (faulty as of April 13)
- http://www.microsoft.com/technet/security/bulletin/MS02-015.asp
MSN Messenger Hijacking:
- http://tom.me.uk/msn/
Unpatched IE vulnerabilities:
- http://jscript.dk/unpatched/
GM#001-AX Appendix to "IE allows universal Cross Site Scripting".
- http://sec.greymagic.com/adv/gm001-ax/

References:

dialogArguments property:
-
http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/dia
logarguments.asp
showModalDialog method:
-
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmo
daldialog.asp
showModelessDialog method:
-
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmo
delessdialog.asp
Insecure shdoclc.dll resource files:
- POLICYERROR.HTM, POLICYLOOKING.HTM, POLICYNONE.HTM &
POLICYSYNTAXERROR.HTM

Revisions.

16 April: Released.
16 April: Added link to GM#001-AX Appendix to "IE allows universal Cross
Site Scripting", detailing how IE5+ is also exploitable to a variation
of this vulnerability.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close