[NT] Who Framed Internet Explorer
From: support@securiteam.comDate: 09/12/02
- Previous message: support@securiteam.com: "[EXPL] PerlCal cal_make.pl Directory Traversal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 12 Sep 2002 10:14:50 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Who Framed Internet Explorer
------------------------------------------------------------------------
SUMMARY
The <frame> and especially <iframe> (inline frame) elements are popular
elements on many big web sites. <frame> elements have always been used and
<iframe> elements recently became popular in ads and relative content,
since they don't suffer from the same clumsiness regular <frame> elements
suffer from.
Most big sites will contain a <frame> or an <iframe> element somewhere
inside them. Good examples are hotmail.com, google.com, and microsoft.com.
Frames may contain URLs in other domains or protocols, and therefore have
strict security rules, which prevent frames in one domain to access
content and information in another. Microsoft explains the issue in this
Cross-Frame Scripting article.
DETAILS
Affected applications:
* Microsoft Internet Explorer 5.5 and above; prior versions are not
vulnerable.
Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).
Discussion:
GrayMagic discovered that it is possible for an attacker to execute script
on any page that contains <frame> or <iframe> elements, ignoring any
protocol or domain restriction set forth by Internet Explorer. This means
that an attacker can steal cookies from almost any site, access and change
content in sites and in most cases read local files and executes arbitrary
programs on the client's machine (script in the "My Computer" zone).
After a web site gets loaded, it is still possible for an external domain
to access its frames collection. That in itself is not helping the
attacker, since the document object of these frames cannot be accessed
directly.
However, it is possible to set the frame's URL. Setting the child frame's
URL to "javascript:[code]" will execute the script in the context of the
currently loaded URL.
This vulnerability will not work, however, if the child frame is in a
different domain than the victim's, like most ads are. But even that
doesn't stop this vulnerability from being exploited, an attacker can
simply change the frame's URL to match its parent and then re-assign the
"javascript:[code]" URL.
In order to use this vulnerability to access the "My Computer" zone an
attacker would have to find a local file or resource that contains a
<frame> or an <iframe>. Fortunately, for the attacker, Microsoft provided
such a resource in Internet Explorer 6, and to make it even better,
Microsoft ironically named it "PrivacyPolicy.dlg". All an attacker needs
to do in order to read local files and execute arbitrary programs is to
load "res://shdoclc.dll/privacypolicy.dlg" and then change the URL of the
frame it contains to the "javascript:[code]" URL.
Luckily, for Internet Explorer 5.5 users, "PrivacyPolicy.dlg" was only
supplied in version 6 of the browser. However, Windows ships with several
HTML files, in relatively static locations, that may contain frames. An
attacker can run a simple scan on such known local files and when such a
file is found the attacker can use it like "PrivacyPolicy.dlg" is used
above.
Exploit:
This exploit shows how it is possible to read a user's cookie in
google.com, it uses a new window to load the victim site, the child frame
is Google's messages tree frame.
<script language="jscript">
onload=function () {
var
oVictim=open("http://groups.google.com/groups?threadm=anews.Aunc.850","OurVictim","width=100,height=100");
setTimeout(
function () {
oVictim.frames[0].location.href="javascript:alert(document.cookie)";
},
7000
);
}
</script>
Solution:
Set "Active Scripting" or "Navigate sub-frames across different domains"
to "Prompt" or "Disable".
Demonstration:
GreyMagic put together four proof-of-concept demonstrations:
* <http://sec.greymagic.com/adv/gm010-ie/wfsimple.html> Simple
The example shown in the "Exploit" section.
* <http://sec.greymagic.com/adv/gm010-ie/wfconsole.html> "Who framed"
Console
Automatically test any site for frames and execute commands on it.
* <http://sec.greymagic.com/adv/gm010-ie/wfread.html> Privacy, anyone?
#1
Read local files using the privacypolicy resource or, if you own a prior
version of IE, scan your disk for "standard" local files that contain
frames in order to "bounce" to any local file from them.
* <http://sec.greymagic.com/adv/gm010-ie/wfexec.html> Privacy, anyone?
#2
Execute arbitrary programs using the privacypolicy resource or, if you own
a prior version of IE, scan your disk for "standard" local files that
contain frames in order to "bounce" to program execution from them.
ADDITIONAL INFORMATION
The original advisory can be accessed by going to:
<http://sec.greymagic.com/adv/gm010-ie/>
http://sec.greymagic.com/adv/gm010-ie/
The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] PerlCal cal_make.pl Directory Traversal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
