Date: Thu, 21 Jan 1999 15:59:15 +0100 From: Juan Carlos Garcia Cuartango To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: New IE4 privacy issue Greetings, There is a new IE 4 issue affecting privacy. The clipboard content can be made public by a javascript code two lines long. I reported the problem to Microsoft on Jan 7 and they have posted the corresponding security bulletin and a fix today 21 January. Although the vulnerability can be exploited from IE 4 navigator it is not a IE 4 bug. The problem is located in some ActiveX called "MS Forms 2.0" that are shipped and installed with the following applications : Microsoft Office 97 Microsot Outlook 98 Microsoft Project 98 Microsoft Visual Basic 5.0 Other non MS applications based on VB or VBA More info and a demo is available at : http://pages.whowhere.com/computers/cuartangojc Microsoft security bulletin is : http://www.microsoft.com/security/bulletins/ms99-001.asp Regards, Juan Carlos ----------[ http://pages.whowhere.com/computers/cuartangojc/ ]---------- The Clipboard vulnerability Internet Explorer 4 Only if you also have installed one of the folowing applications : Microsoft Office 97 Microsot Outlook 98 Microsoft Project 98
Microsoft Visual Basic 5.0 Reported to MS Jan 7 1999 Confirmed and fixed Jan 21 1999. http://www.microsoft.com/security/bulletins/ms99-001.asp MS Security Bulletin ms99-001 The Clipboard vulnerability demo

The Clipboard Vulnerability Demo

According with Microsoft security rules access to Windows clipboard content is forbidden to Internet Explorer scripts unless the clipboard content was owned by the Explorer itself. If an script performs a "paste" operation over an input text box the operation will succeed only if data were copied to the clipboard from the Internet Explorer.

There is a way to circumvent this protection by using a Microsoft Forms 2.0 TextBox ActiveX object. This TextBox object can perform a "paste" operation without security restrictions. The clipboard data can then be transferred to a form input box and posted to a malicious WEB. The vulnerabilty can also be exploited from an e-mail message .

This control does not ship with Windows or with Internet Explorer, but rather people get it by installing Office 97, Visual Basic 5.0, or a couple of other applications, although the exposure for most users would be through Internet Explorer.

The box below  is a Input Text Area Box your clipboard text data must be here, if not then do a copy (from any application)  and reload this page. If this box shows your clipboard content then you are affected.

The box below (blue) is a Microsoft Forms 2.0 TextBox ActiveX object, it will also show the clipboard content.

The script making public the clipboard is very simple :

function GetClipBoard()
{
tb.paste();                          // paste over the MS Forms 2.0 TextBox
document.forms(0).S1.value=tb.text;  // moves the text to the text area box
}

Back to Main Page (More BUGS)

Created by Juan Carlos Garcia Cuartango

----------------------------------------------------------------------------------- Date: Mon, 25 Jan 1999 06:45:37 +0100 From: Drazen Kacar To: BUGTRAQ@netspace.org Subject: Re: IE4 Persistent Connection Bug Joel Moses wrote: > The document below details a connection-reuse problem which uses > persistent connections even when they have either 1) been specifically > disabled, or 2) have been told to close by a server "Connection: > close". [...] > ------------------------------------------------------------------ > $ nc -p 9000 -l > GET http://www.somesite.com/ HTTP/1.0 > Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, > application/vnd.ms-excel, application/msword, > application/vnd.ms-powerpoint, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95) > Host: www.somesite.com > Proxy-Connection: Keep-Alive > > "HTTP/1.1 200 OK" > "Connection: close" > "Content-Length: 5" > > "abcde" > ------------------------------------------------------------------ > > The browser will display "abcde," and the IE logo will stop > circulating. However, the connection will not -- as requested by the > server -- close. If you issue another page request in the browser for You mean "as requested by the origin server." Connection header is hop-by-hop, which means that it has a meaning for a connection between origin server and proxy server only. Proxy server doesn't have to propagate it to the user agent. And there is a Proxy-Connection header in the request. I don't know where that one is defined (it isn't in RFC 1945, nor in RFC 2068, nor in the latest HTTP/1.1 draft), but I would assume it has to do something with open connections between user agent and proxy server. > a different site, the request will come through on this > previously-opened connection, e.g.,: > > ------------------------------------------------------------------ > GET http://www.othersite.com/ HTTP/1.0 > Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg, > application/vnd.ms-excel, application/msword, > application/vnd.ms-powerpoint, */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95) > Host: www.othersite.com > Proxy-Connection: Keep-Alive > ------------------------------------------------------------------ > > This clearly violates HTTP/1.0 behavior, with which the browser > reports to the server that it complies. It doesn't. Your netcat "proxy" violates it. Here's a quote from RFC 1945: Except for experimental applications, current practice requires that the connection be established by the client prior to each request and closed by the server after sending the response. > Netscape 4.x behaves correctly and closes the connection itself when > faced with the same situation. See above. The server is responsible for closing the connection. Server here means either origin server or proxy server, whichever happens to be connected to user agent. -- .-. .-. Life is a sexually transmitted disease. (_ \ / _) | dave@srce.hr | dave@fly.cc.fer.hr ----------------------------------------------------------------------------------- Date: Mon, 25 Jan 1999 15:14:15 -0000 From: Eamonn Turley To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: New IE4 privacy issue Not just Javascript code. VB Script, as well. Anything that can use ActiveX controls, can do it. This is all of office, Internet Explorer, Visual Studion (VB, C++ etc), Netscape Navigator (I believe) and I believe AutoCAD uses VB-Script, so may be able to do this.