[NT] IE Allows Universal Cross Site Scripting
From: support@securiteam.comDate: 04/17/02
- Previous message: support@securiteam.com: "[UNIX] Fragroute Provided Scripts Allows to Blindside Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Apr 2002 13:29:52 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
IE Allows Universal Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
Among its extensive functionality, IE employs a set of useful methods to
display dialog windows. These, the showModalDialog and showModelessDialog
methods, can transfer objects from the originating page to the page being
displayed inside the dialog, by use of the dialogArguments property. A
vulnerability was discovered in the way IE handles interaction between
remote pages, the vulnerability would allow anything from elevating of
privileges, to hijacking the MSN Messenger client.
DETAILS
Affected applications:
Any application that hosts the WebBrowser control (IE6+). Some of these
are:
* Microsoft Internet Explorer
* Microsoft Outlook
* Microsoft Outlook Express
Known vulnerable applications:
* Internet Explorer 6 SP1
Details:
The dialogArguments property tries to prevent interaction between remote
pages by comparing the location of the originating page and the dialog
page.
When opening a dialog window (e.g. res://shdoclc.dll/policyerror.htm) from
another protocol, port or domain (e.g. http://jscript.dk), the validation
code in IE will ensure that no objects are transferred, and no interaction
is as such possible.
When both pages are on the same protocol, port, and domain, the validation
code will allow interaction.
Unfortunately, the validation code only checks the original URL instead of
the final URL, and it is as such possible to bounce a HTTP redirect from
the originating site to the desired dialog page that will allow
interaction.
It is worth noting that this is not in any way limited to the RES://
protocol. The flawed dialogArguments property also allows interaction
between different domains (e.g. YAHOO.COM to MICROSOFT.COM), different
protocols (HTTP to HTTPS, HTTP to FILE, etc.), and different ports (port
80 to port 21, port 80 to port 25, etc.)
For the sake of demonstration, we look at shdoclc.dll that contains
several resources in the HTML category, labeled POLICYERROR.HTM,
POLICYLOOKING.HTM, POLICYNONE.HTM, and POLICYSYNTAXERROR.HTM. These files
contain the following script code:
var site = window.parent.dialogArguments.url;
function printSite()
{
document.write( site);
}
Exploit:
<scr!pt>
var sCode = '<'+'script>alert("This is running from: " +
location.href);top.close()</'+'script>';
window.showModalDialog("redirect.asp", {url:sCode})
</script>
(NOTE: The letter I was replaced with !)
Redirect.asp contains:
<%@Language=Jscript%><%
Response.Redirect("res://shdoclc.dll/policyerror.htm");
%>
Solution (For Microsoft):
Fix the faulty validation routine in dialogArguments. Include input
validation in resource files. Also, fixing the incomplete
<http://www.microsoft.com/technet/security/bulletin/MS02-015.asp> MS02-015
patch will ensure that this specific command execution vulnerability will
not reoccur when the next CSS issue is uncovered.
Solution (For users):
Disable scripting.
Demonstration:
We have put together some proof-of-concept examples:
<http://jscript.dk/adv/TL002/simple.html> Simple static examples -
Demonstratory fixed code.
<http://jscript.dk/adv/TL002/advanced.html> Advanced example - Input
arbitrary script code.
<http://jscript.dk/adv/TL002/msn.html> Hijacking MSN Messenger - An
updated version of a previous bulletin.
<http://jscript.dk/adv/TL002/codebase.html> Executing arbitrary commands
- How CodeBase was not fixed.
Vendor status:
Microsoft was notified 18 March 2002 and were able to reproduce the issue
consistently. They are currently (16 April 2002) investigating whether to
address this in an upcoming cumulative patch.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Thor@jubii.dk> Thor Larholm.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Fragroute Provided Scripts Allows to Blindside Snort"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
