Findeath: break caller-based authorization.

("that's all" is end of file if you are in a hurry)



[tested]

Browser Ver

{ 

MS Internet Explorer: 6.0.2600.0000.xpclnt_qfe.021108-2107;

Encryption: 128-bit;

Patch:; Q810847; 

}

(So, it's far from fully patched.) 

OS Ver: "Windows XP Cn ver"



[demo]

(press CTRL+F and search for something.) 

http://www.safecenter.net/liudieyu/Findeath/Findeath-MyPage.HTM

or

http://umbrella.mx.tc 

---> Findeath section

---> Findeath-MyPage file



[exp]

window.open checks the root-caller's security id.

("root-caller" is some script which is not invoked by

another function.) 



my function can be called by the FIND

dialog(RES-protocol page in MYCOMPUTER zone):

hijack this function:

"window.document.selection.createRange"

and ask the user to search for something.

at last, FIND dialog calls

"window.document.selection.createRange".



[how]

while using the CTRL+F dialog, i suddenly remembered

einstein. 

he stated: if time can change others, time can also be

changed be others. 

of course, i know the FIND dialog are calling some

methods in the main window obj, 

so window obj can also play some tricks. (yeah.

einstein is not always a loser. :-) )



and then thanks to "GreyMagic" for "GreyMagic Security

Advisory GM#002-OP"

he/they used function hijack. oh, just a reminder.



[greetings]

the Pull, dror, guninski, greymagic, sandblad and

"Friedrich L.Bauer".

of course, mom and dad.



best wishes



-----

from http://Umbrella.MX.TC on http://SafeCenter.NET