10th Sep 2002 [SBWID-5679]
COMMAND
IE script exploit via frames
SYSTEMS AFFECTED
Microsoft Internet Explorer 5.5 and above; prior versions are not
vulnerable.
Tested on : IE5.5 Win98.
IE5.5 NT4.
IE6 Win2000.
IE6 WinXP.
PROBLEM
In GreyMagic Security advisory [GM#010-IE] by GreyMagic Software,
Israel :
http://security.greymagic.com/adv/gm010-ie/.
Update (11 september 2002)
======
Information below have been updated by GreyMagic to prove IE6SP1 does
not patch the problem yet.
--snipp--
We discovered that it is possible for an attacker to execute script on
any page that contains <frame> or <iframe> elements, ignoring any
protocol or domain restriction set forth by Internet Explorer. This
means that an attacker can steal cookies from almost any site, access
and change content in sites and in most cases also read local files and
execute arbitrary programs on the client's machine (script in the "My
Computer" zone).
After a web site gets loaded, it is still possible for an external
domain to access its frames collection. That in itself is not helping
the attacker, since the document object of these frames cannot be
accessed directly.
However, it is possible to set the frame's URL. Setting the child
frame's URL to "javascript:[code]" will execute the script in the
context of the currently loaded URL.
This vulnerability will not work, however, if the child frame is in a
different domain than the victim's, like most ads are. But even that
doesn't stop this vulnerability from being exploited, an attacker can
simply change the frame's URL to match its parent and then re-assign
the "javascript:[code]" URL.
In order to use this vulnerability to access the "My Computer" zone an
attacker would have to find a local file or resource that contains a
<frame> or an <iframe>. Fortunately for the attacker, Microsoft
provided such a resource in Internet Explorer 6, and to make it even
better, Microsoft also ironically named it "PrivacyPolicy.dlg". All an
attacker needs to do in order to read local files and execute arbitrary
programs is to load "res://shdoclc.dll/privacypolicy.dlg" and then
change the URL of the frame it contains to the "javascript:[code]" URL.
Luckily for Internet Explorer 5.5 users, "PrivacyPolicy.dlg" was only
supplied in version 6 of the browser. However, Windows ships with
several HTML files, in relatively static locations, that may contain
frames. An attacker can run a simple scan on such known local files and
when such a file is found the attacker can use it like
"PrivacyPolicy.dlg" is used above.
Exploit:
========
This exploit shows how it is possible to read a user's cookie in
google.com, it uses a new window to load the victim site, the child
frame is Google's messages tree frame.
<script language="jscript">
onload=function () {
var oVictim=open("http://groups.google.com/groups?threadm=anews.Aunc.850","OurVictim","width=100,height=100");
setTimeout(
function () {
oVictim.frames[0].location.href="javascript:alert(document.cookie)";
},
7000
);
}
</script>
Demonstration:
==============
We put together four proof-of-concept demonstrations:
* Simple: The example shown in the "Exploit" section.
* "Who framed" Console: Automatically test any site for frames and
execute commands on it.
* Privacy, anyone? #1: Read local files using the privacypolicy
resource or, if you own a prior version of IE, scan your disk for
"standard" local files that contain frames in order to "bounce" to any
local file from them.
* Privacy, anyone? #2: Execute arbitrary programs using the
privacypolicy resource or, if you own a prior version of IE, scan your
disk for "standard" local files that contain frames in order to
"bounce" to program execution from them.
They can all be found at :
http://sec.greymagic.com/adv/gm010-ie/
SOLUTION
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
