Cross-Frame, About Pluggable Protocol, Security Zone Spoofing

From: the Pull (osioniusx@yahoo.com)
Date: 12/11/01 

Date: Tue, 11 Dec 2001 09:56:10 -0800 (PST)
From: the Pull <osioniusx@yahoo.com>
To: bugtraq@securityfocus.com

Cross-Frame, About Pluggable Protocol, Security Zone
Spoofing

Class: Failure to Handle Exceptional Conditions
Remote: Yes
Local: Yes
Found: November 27,2001
Severity: Mild
Vulnerable: IE 6.0.2600.0000
+ Windows 2000 Update Versions: Q312461
IE 5.50.4134.0100 Update Versions: q269368
+ Windows ME

Discussion: By appending merely a percent sign after
an about url which has opened in a window you can
access some elements of the previous document's
document object model. What this means is that you can
run script in the security context of "My Computer" or
"Trust Sites" and can embed iframes (text/x-scriptlet
objects) from varying domains and protocols while the
Security Zone still reads "My Computer" or "Trusted
Sites". The limitations in this exploit are from the
about pluggable protocols security restrictions and
security restrictions on embedded objects within this
protocol (if you have the latest patches).

Exploits: http://www.osioniusx.com

"trustedSites.html" - Opens an about page in a trusted
zone and navigates to a javascript url while remaining
in the Trusted Zone.
"Domains.html" - Opens two remote sites up in iframes
while remaining in the My Computer Zone (instead of
mixed). You could just as well open up .hta, .vbs,
even .bat files in this manner.
"MyComputer.html" - Opens about page in My Computer
zone and navigates to a javascript url.

Potential Solution: Minor fix on about pluggable
protocol. Note: Word needs to get out all users that
they need to update their browsers to the latest fixes
at all times. I would like to see this automated in
future versions of IE.

Vendor Status: Emailed to "Secure@microsoft.com".

 

 

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com

Relevant Pages

  • Re: Future of IT in Lebanon
    ... working knowledge of Indian programmers DNA, nor of their intuitive Java ... > So Longhorn is not an experiment and Linux is an experiment? ... another chapter in the Windows story, and the Microsoft marketing machine is ... > application opens, Check the about, it says Microsoft Visual Basic 6.3. ...
    (soc.culture.lebanon)
  • Re: Slow performance
    ... once the program opens up. ... memory is too low. ... Windows Live Once Care, and I usually notice improvement after I run the ... A visit to Event Viewer. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: outlookexpress
    ... > Iam having trouble reading my email.It only opens part of ... Turn off email scanning in your antivirus software. ... Windows 2000 and Windows XP. ... Windows XP Service Pack 2 Resources for IT Professionals ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • chkdsk caused lots of problems by replacing security id
    ... Replacing invalid security id with default security id for file 11. ... I noticed that the darn taskbar wasn't on ... For her it was, windows media ... computer or any other folder on my desktop, it opens as normal. ...
    (microsoft.public.windowsxp.general)
  • for Donald the weavers sad, before me its kind, whereas above you its judging humble
    ... windows. ... Just wasting at a wrinkle outside the sign is too short for ... Susan to cook it. ... whilst Joe bimonthly opens them too. ...
    (rec.pets.cats.anecdotes)