(MSIE)A rather old trick for web server is now played on MSIE.

From: Liu Die Yu (liudieyuinchina@yahoo.com.cn)
Date: 12/26/02

Next message: Scott Howard: "Re: Solaris priocntl exploit - Sol8 patches available"

Previous message: FORENSICS.ORG Security Coordinator: "Full Disclosure: Windows File Protection Old Security Catalog Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 26 Dec 2002 05:38:39 -0000
From: Liu Die Yu <liudieyuinchina@yahoo.com.cn>
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)

[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000}

[demo]
at
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.swf?
"><SCRIPT>alert(document.cookie)</SCRIPT>
[code.url end]

[exp]
MSIE generates a page to load a multimedia file instead of loading it
directly.
the automatically generated page for loading an SWF(the extension of a
flash file) file contains URL of the SWF file -- without any encoding.

so the oldest XSS trick works on MSIE.

that's all.

[how]
(real show)

first, realize MS programmers are lazy(= "too busy") and they prefer to
look wise, so you can doubt that they generate a page to load a multimedia
file.
then, check it: i played a small trick: typing
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on
a JPG file because the URL is encoded properly.(that programmer must have
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish.
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.

(very few steps)

[more?]
this trick may work on other browsers, but i can't test it at present.

[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the
school is really crazy). i'll have a 30-day holiday. i think it's enough
to make a site showing tricks i know, why they work,how to exploit them,
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.

[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )

Next message: Scott Howard: "Re: Solaris priocntl exploit - Sol8 patches available"
Previous message: FORENSICS.ORG Security Coordinator: "Full Disclosure: Windows File Protection Old Security Catalog Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
... problem to trick the victim and force him to change the encoding of ... his browser by little social engineering. ...
(Bugtraq)
Re: Mail.app or OE problem
... I know it's an encoding problem... ... wrong and how can I modified my mail app to handle correctly most exchange... ... the trick is to 'force' an UTF-8 encoding ... defaults delete com.apple.Mail NSPreferredMailCharset ...
(comp.sys.mac.apps)
Re: Reading-Writing a binary file w/o affecting its data
... Aric Bills wrote: ... but it's more of a "trick" for the sake of supporting ... want to set the encoding of a channel use the -encoding switch to ...
(comp.lang.tcl)