BodyRefreshLoadsJPU:refresh is a new navigation method



[tested]

Browser Ver

{ 

MS Internet Explorer: 6.0.2600.0000.xpclnt_qfe.021108-2107;

Encryption: 128-bit;

Patch:; Q810847; 

}

(So, it's far from fully patched. It also works after

applying the patch for method caching attack.) 

OS Ver: "Windows XP Cn ver"



[demo]

http://www.safecenter.net/liudieyu/BodyRefreshLoadsJPU/BodyRefreshLoadsJPU-MyPage.HTM

or

http://umbrella.mx.tc 

---> BodyRefreshLoadsJPU section

---> BodyRefreshLoadsJPU-MyPage file



[exp]

[VictimWindow] is in another security zone, execute:

[VictimWindow].location.href="javascript:[JpuScript]"

then [VictimWindow] will be navigated to a RES-protocol

page.

at last, press "REFRESH" button:

"Refresh" tries to reload "javascript:[JpuScript]", and

the script is executed.



question:how to press "REFRESH" button with JSCRIPT?

answer in this attack:

SaveRef(or "object-caching attack") "document.body", 

then:

bodyRef.document.execCommand("Refresh")



[how]

special thanks to:

"Andreas Sandblad" for "Using the backbutton in IE is

dangerous";

(then i tried to search for other navigation methods) 

"GreyMagic" for "GreyMagic Security Advisory GM#012-IE"

(it showed "[DocElement].document" is something

interesting :-) ) 

and myself :-)

read those documents. and look for buttons in MSIE.



[greetings]

the Pull, dror, guninski, sandblad, greymagic and

"Friedrich L.Bauer".

of course, mom and dad.



best wishes



-----

from http://Umbrella.MX.TC on http://SafeCenter.NET