Minor IE vulnerability: about: URLs

From: Clover Andrew (aclover@1value.com)
Date: 10/19/01 

Subject: Minor IE vulnerability: about: URLs
Date: Fri, 19 Oct 2001 17:13:55 +0200
Message-ID: <D58B0195B58937489E89124469E57CA249D9C8@EX1.1value.com>
From: "Clover Andrew" <aclover@1value.com>
To: <bugtraq@securityfocus.com>

Zone spoofing? Oh yes, that reminds me. Here's another one.

Affected: Internet Explorer under Windows, up to version 6
Risk: Low
Workaround: Disable scripting in the Internet Zone

Problem:

If an unknown 'about:' name is used, IE echos the string exactly to the
page. So 'about:foo' results in an HTML page containing the word 'foo',
'about:<em>bar</em>' results in a page containing the emphasised word
'bar', and 'about:<script>...</script>' is an obvious security issue.

This amounts to a cross-site-scripting hole (see CERT CA-2000-02) built
into every copy of IE.

Consequences:

'about:' pages are in the Internet Zone; hence, sites in the Restricted
Zone (including HTML e-mail) may, by linking to an 'about' page, inject
and execute content they would not normally be allowed to run.

***Sites that accept user-submitted content *must* filter out about:
URLs just as they should filter out 'javascript:' and 'vbscript:'
ones.*** It's probably a good idea to disallow all protocol not known-
good (http[s], ftp, etc.) as there may be other protocols which present
a risk.

Cookies can be stored for 'about:' pages in newer versions of IE. This
allows any site to store and read cookies from a shared location,
circumventing the normal restriction that sites may not pass cookies to
each other.

[Each 'about:' page is considered different so if we were to write
'about:<script>alert(document.cookie);document.cookie='a=b'</script>',
that cookie would only be readable from the same URL, which would only
give us a one-bit store for each URL. We can get around this by noting
that IE incorrectly applies HTTP-style URL parsing to 'about:' URLs -
one consequence of which is that if you include a question mark in the
URL, only the part of the URL before the ? is considered part of the
unique page name.]

Exploit:

Global shared cookie store. Cookies are deliberately designed to
disallow sharing between sites, through restrictions on the 'path'
setting. These pages, however, can read each other's cookies:

  http://and.doxdesk.com/transfer/vuln.html
  http://www.1value.com/transfer/vuln.html

Of course they could do so with a lot more subtlety, hiding from
the user using techniques like invisible frames, transparent
redirects, etc.

Versions:

Assume all versions of IE/Win are vulnerable. Status of IE under other
platforms is unknown. Versions tested:

4.72.3612.1713 (SP2; 3283)
5.00.3315.1000 (SP2)
5.50.4522.1800
6.0.2600.0000

However, only IE5.5 and IE6 seemed able to store cookies for about:
pages; the exploit did not work on IE4 and IE5.0.

Vendor response: Probably won'tfix.

A Microsoft chap pointed out that sites can already break out of the
Restricted Sites Zone, simply by pointing at another site that is
not in that Zone.

(Cookies could similarly be shared by creating a 'cookie aggregator'
site which could be redirected to in order to set the desired cookie
and return to the originating site with a copy of all cookies set
by different sites.)

My response: in both cases, the 'rogue' site being redirected to can
also be put in the Restricted Sites Zone to stop it. This is not the
case with about: URLs, which are always in the Internet Zone and
cannot be changed. External sites can also be foiled through
firewalling and local blackhole routing, which about: cannot.
Unlike external sites, about: URLs are processed instantaneously,
making the user much less likely to notice them. Finally, an external
cookie aggregator site would be subject to privacy policies and laws,
which about: URLs cannot be.

I think it is a shame that the usefulness of the Restricted Sites
Zone feature and the locality restrictions on cookies are compromised
in favour of a feature (about:something generating a page with
'something' on) that is undocumented, non-standard, little-known and
of no conceivable legitimate use whatsoever.

But your mileage may vary. Make sure your web apps aren't
exploitable, anyway. 

-- 
Andrew Clover
Technical Consultant
1VALUE.com AG

Relevant Pages

  • Locking down MOST Internet activity...
    ... the Internet (Active X, cookies, scripting) on my TS, yet ... Security Zones I left the Internet zone to the highest ... Also, under Privacy, I set it to block all cookies ...
    (microsoft.public.windows.group_policy)
  • Re: They can break ZoneAlarm easily !
    ... packet filter firewall or a port mapper or some other additional security. ... outlook express settings are restricted zone, ... Also, I'd try deleting your cookies, and then making sure in your internet ...
    (comp.security.firewalls)
  • Re: Problems with cookies
    ... When you go to one of these sites, which "Zone" does IE display in ... I assume you're using Internet Explorer as your browser? ... then set 1st Party Cookies to Prompt and 3rd Party Cookies to Block. ... I have cheched everything and the settings are OK. ...
    (microsoft.public.windowsxp.general)
  • Re: Trusted Zone & Cookies with IE5.5 vrs IE6
    ... The question is I would like to be able to choose cookie options like IE5 let ... us, for instance, to be able to say No all cookies in the Internet ... Zone while at the same time say Yes ... It appears that IE6 sets cookies globally and not ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Enable Javascript/cookies?
    ... Internet, Trusted Site etc.) - This will open up the Internet Options at the ... Security tab with the current Security Zone for the site selected. ... also cookies. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
Loading