[NT] Internet Explorer : The D-Day

From: support@securiteam.com
Date: 10/16/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 16 Oct 2002 03:13:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Internet Explorer : The D-Day
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Internet Explorer allows remote attackers
unlimited access to the document object through its "Document" object name
(rather than the usual "document", note the case, name). This would allow
a remote attacker with the power to do anything from stealing of cookies,
to executing of arbitrary programs.

DETAILS

Affected applications:
Microsoft Internet Explorer 5.5 and 6.0. Prior versions and IE6 SP1 are
not vulnerable.

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (Outlook under the Internet zone,
MSN Explorer, etc.).

Introduction:
The <frame> and <iframe> elements may contain URLs in other domains or
protocols, and therefore have strict security rules, which prevent frames
in one domain to access content and information in another. Microsoft
explains the issue in this Cross-Frame Scripting article.

There are several ways to refer to an <iframe>'s (or <frame>) document in
Internet Explorer (assuming <iframe id="oFrameId">):

 * oFrameId.document
 * document.all.oFrameId.contentWindow.document
 * frames.oFrameId.document
 * And others..

All these methods are handled correctly by Internet Explorer and

Discussion:
The <iframe> and <frame> elements are really instances of the WebBrowser
control supplied by Microsoft. The WebBrowser control exposes several
potentially dangerous properties by default, which Microsoft overrides in
Internet Explorer.

However, Microsoft missed out on one important property -- "Document",
with a capital "D".

Normally, using "oElement.document" would provide a reference to the
document that owns the current element. The same applies to the <frame>
and <iframe> elements. However, we discovered that when
"oIFrameElement.Document" is used, the returned document is the one
contained inside the frame, and there are no security restrictions in
place to check if it's in a different domain.

This provides free and full access to the frame's Document Object Model,
which allows an attacker to steal cookies from any site, gain access to
content in sites (forging content), read local files and execute arbitrary
programs on the client's machine (script in the "My Computer" zone).

Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but
surprisingly this vulnerability does not exist in IE6 SP1. It's hard to
believe that Microsoft actually meant to plug it as IE5.5 remains
vulnerable, yet somehow this stray property is now protected.

Exploit:
This exploit demonstrates how an attacker may choose to read the client's
"google.com" cookie.
<scr!pt language="jscript">
onload=function () {
    // Timer necessary to prevent weird behavior in some conditions
    setTimeout(
        function () {
            alert(document.getElementById("oVictim").Document.cookie);
        },
        100
    );
}
</script>
<iframe src="http://google.com" id="oVictim"></iframe>

Solution:
Until a patch becomes available either disable Active Scripting or upgrade
to IE6 SP1.

Demonstration:
GreyMagic Software put together four proof-of-concept demonstrations:

 * <http://sec.greymagic.com/adv/gm011-ie/ddsimple.asp> Simple: Reads the
client's "google.com" cookie.
 * <http://sec.greymagic.com/adv/gm011-ie/ddconsole.asp> D-Day Console:
Automatically load and execute commands on any site.
 * <http://sec.greymagic.com/adv/gm011-ie/ddread.asp> D-Day Reading: Read
local files by accessing a res:// URL.
 * <http://sec.greymagic.com/adv/gm011-ie/ddexec.asp> D-Day Execution:
Execute arbitrary programs by accessing a res:// URL.

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://security.greymagic.com/adv/gm011-ie/>
http://security.greymagic.com/adv/gm011-ie/

The information has been provided by <mailto:security@greymagic.com>
GreyMagic Software.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages