exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gm010-ie

gm010-ie
Posted Sep 11, 2002
Site sec.greymagic.com

GreyMagic Security Advisory GM#010-IE - Microsoft Internet Explorer 5.5 and above are vulnerable to an attacker who can execute scripts on any page that contains frame or iframe elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine. Note that any other application that uses Internet Explorer's engine is also affected.

tags | arbitrary, local, protocol
SHA-256 | 536c623ed699440d80879e2d1a445648296439d9070e173e9d6be71b37dbd554

gm010-ie

Change Mirror Download
[Image][Image]
News::Advisories::About/Services::Contact

GreyMagic Security Advisory GM#010-IE

By GreyMagic Software, Israel.
09 Sep 20002.

Topic: Who framed Internet Explorer.

Discovery date: 04 Aug 2002.

Affected applications:

Microsoft Internet Explorer 5.5 and above; prior versions are not
vulnerable.

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).

Introduction:

The <frame> and especially <iframe> (inline frame) elements are popular
elements on many big web sites. <frame> elements have always been used and
<iframe> elements recently became popular in ads and relative content, since
they don't suffer from the same clumsiness regular <frame> elements suffer
from.

Most big sites will contain a <frame> or an <iframe> element somewhere
inside them. Good examples are hotmail.com, google.com and microsoft.com.

Frames may contain URLs in other domains or protocols, and therefore have
strict security rules, which prevent frames in one domain to access content
and information in another. Microsoft explains the issue in this Cross-Frame
Scripting article.

Discussion:

We discovered that it is possible for an attacker to execute script on any
page that contains <frame> or <iframe> elements, ignoring any protocol or
domain restriction set forth by Internet Explorer. This means that an
attacker can steal cookies from almost any site, access and change content
in sites and in most cases also read local files and execute arbitrary
programs on the client's machine (script in the "My Computer" zone).

After a web site gets loaded, it is still possible for an external domain to
access its frames collection. That in itself is not helping the attacker,
since the document object of these frames cannot be accessed directly.

However, it is possible to set the frame's URL. Setting the child frame's
URL to "javascript:[code]" will execute the script in the context of the
currently loaded URL.

This vulnerability will not work, however, if the child frame is in a
different domain than the victim's, like most ads are. But even that doesn't
stop this vulnerability from being exploited, an attacker can simply change
the frame's URL to match its parent and then re-assign the
"javascript:[code]" URL.

In order to use this vulnerability to access the "My Computer" zone an
attacker would have to find a local file or resource that contains a <frame>
or an <iframe>. Fortunately for the attacker, Microsoft provided such a
resource in Internet Explorer 6, and to make it even better, Microsoft also
ironically named it "PrivacyPolicy.dlg". All an attacker needs to do in
order to read local files and execute arbitrary programs is to load
"res://shdoclc.dll/privacypolicy.dlg" and then change the URL of the frame
it contains to the "javascript:[code]" URL.

Luckily for Internet Explorer 5.5 users, "PrivacyPolicy.dlg" was only
supplied in version 6 of the browser. However, Windows ships with several
HTML files, in relatively static locations, that may contain frames. An
attacker can run a simple scan on such known local files and when such a
file is found the attacker can use it like "PrivacyPolicy.dlg" is used
above.

Exploit:

This exploit shows how it is possible to read a user's cookie in google.com,
it uses a new window to load the victim site, the child frame is Google's
messages tree frame.

<script language="jscript">
onload=function () {
var
oVictim=open("http://groups.google.com/groups?threadm=anews.Aunc.850","OurVictim","width=100,height=100");
setTimeout(
function () {
oVictim.frames[0].location.href="javascript:alert(document.cookie)";
},
7000
);
}
</script>

Solution:

Disable Active Scripting.

Tested on:

IE5.5 Win98.
IE5.5 NT4.
IE6 Win2000.
IE6 WinXP.

Demonstration:

We put together four proof-of-concept demonstrations:

* Simple
The example shown in the "Exploit" section.
* "Who framed" Console
Automatically test any site for frames and execute commands on it.
* Privacy, anyone? #1
Read local files using the privacypolicy resource or, if you own a
prior version of IE, scan your disk for "standard" local files that
contain frames in order to "bounce" to any local file from them.
* Privacy, anyone? #2
Execute arbitrary programs using the privacypolicy resource or, if you
own a prior version of IE, scan your disk for "standard" local files
that contain frames in order to "bounce" to program execution from
them.

Feedback:

Please mail any questions or comments to security@greymagic.com.

Copyright © 2002 GreyMagic Software.
Powered by IDNS.
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close