what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

crossZone.txt

crossZone.txt
Posted Jul 20, 2004
Authored by Paul From Greyhats | Site greyhats.cjb.net

IEXPLORE.EXE file version 6.0.2800.1106 and MSHTML.DLL file version 6.00.2800.1400 are both susceptible to cross site/zone scripting flaws.

tags | advisory
SHA-256 | adf292c1753dbb9a45642cd37fcc3a60abe2952a1004a4a51d48cb8e38659b95

crossZone.txt

Change Mirror Download


Note: This vulnerability and many more can be found at http://www.greyhats.cjb.net

SimliarMethodNameRedir
Automatic Remote Compromise

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2

[Discussion]
At first I thought this vulnerability had something to do with method caching. It doesn't. It has to do with the security check that internet explorer has in place. Apparently, if a function is redirected to a function with the same name, it can be called without security restrictions. If you want to see what I mean, try this:

<script>
var var1=location.assign;
alert("Assign function of the current window:\n"+var1);
var w=window.open("about:blank","_blank");
var var2=w.location.assign;
var w=alert("Assign function of the new window:\n"+var2);
w.close();
</script>


You should get two alerts describing the assign() function as being

function assign(){
[Native code]
}

Notice both functions appear to be the same. My guess is that Internet Explorer checks the two function names and (maybe) the function code. If it matches, Internet Explorer marks the function as safe. It doesn't, however, take into account cross-window function calls. That's why SimilarMethodNameRedir works.

How bad is this problem? Critical. With minimal effort, a malicious website owner could install viruses or spyware on the visitor's computer. Because theoretically this should work with every function, the only way that I can think of to fix the problem is to rewrite the whole function security check that internet explorer has in place. The best way to prevent this vulnerability is to either disable active scripting or switch to a different browser ;).

The example goes to google.com and executes javascript that displays a messagebox with the location.href and the document.cookie attributes of the window object.

[Example]
http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close