Microsoft Internet Explorer does not adequately validate source of dialog frame

Overview

Microsoft Internet Explorer (IE) allows script from a dialog frame in one domain to execute in a different domain, including the Local Machine Zone. The script could read certain local files and data (i.e. cookies) from other web sites. In the presence of other vulnerabilities (VU#626395, VU#25249), the script could execute arbitrary commands.

Description

Microsoft Internet Explorer provides two methods (showModalDialog and showModelessDialog) that can be used to display dialog box frames. The methods must specify a URI to use as the source of the dialog frame and they may take optional arguments, including script. These arguments can be accessed from the dialog frames using the dialogArguments property. Script passed as an argument to a dialog frame is subject to the security restrictions of the DHTML Object Model: script executing in one frame cannot access data in a frame from a different domain. In addition, script cannot access data using a different protocol. For example, script in a frame on cert.org cannot access data in a frame from example.com, and an http:// frame cannot access data using file:// or https://. The dialog methods may specify source URIs in a different domain than the parent frame, however the security restrictions should prevent script in one frame from accessing data in the other.

From MS03-004: “Internet Explorer evaluates security when one web page requests access to resources in another security zone. There is a flaw in the way Internet Explorer checks the originating domain when script runs in a dialog box.” Internet Explorer does not correctly enforce cross-domain security when the source of a dialog frame is set using an IFRAME element (or object). In publicly available examples, one file on a web site creates a scripting object and calls a dialog method with two arguments: the source of the dialog frame (a second file on the same web site as the parent) and a reference to the scripting object. The second file instantiates an IFRAME using a local file resource (res://shdoclc.dll/privacypolicy.dlg, see VU#711843). The local resource fulfills a necessary precondition of the attack - it uses dialogArguments to access the script without adequate validation. Script that is passed as an argument to a dialog frame can be accessed from a different domain/protocol as specified in the IFRAME element of the dialog frame’s source URL. As a result, the script can read data from the target domain.

In VU#728563, IE fails to correctly identify the source of modal dialog frames opened with the Redirect method or IFRAME elements. In VU#711843, local HTML resources accept script from modal dialog frames via the dialogArguments property. As a result, script from an attacker’s web page can be injected into local HTML resources and the script will execute in the Local Machine Zone.

The following table sumarizes dialog frame vulnerabilities in Internet Explorer.

IE Dialog Frame Vulnerabilities| Reporter| VU#728563 (dialog frame source)| VU#711843 (local HTML resource)| CVE| Microsoft
—|—|—|—|—
Thor Larholm TL#002| response.redirect| res://shdoclc.dll/{privacypolicy.dlg, policyerror.htm, policylooking.htm, policynone.htm, policysyntaxerror.htm} (IE 6.0)| [CAN-2002-0189](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2002-0189>)| MS02-023 ([Q321232](< * http://www.microsoft.com/windows/ie/downloads/critical/Q321232/default.asp&gt;)) fixes response.redirect vector in IE 6.0 only, does not address analyze.dlg in IE 5.01 and 5.5
Grey Magic GM#001-AX| response.redirect| res://shdoclc.dll/analyze.dlg (IE 5.01, 5.5, 6.0)| CAN-2002-0691| MS02-047 ([Q323759](< * http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp&gt;)) fixes response.redirect vector in IE 5.01 and 5.5, all known local HTML resources
Liu Die Yu “bad parent”| IFRAME (IE 5.01 not affected)| res://shdoclc.dll/privacypolicy.dlg (IE 5.5, 6.0)| CAN-2002-1326| MS03-004 (Q810847) fixes IFRAME vector in IE 5.5 and 6.0, all known local HTML resources
Liu Die Yu “poisonous style”| N/A (VU#244729)| N/A (VU#244729 dialog frame font attribute)| CAN-2003-0116| MS03-015 (Q813489)

Internet Explorer, Outlook, Outlook Express, MSN Messenger, Eudora, Lotus Notes, Adobe PhotoDeluxe, AOL, and any other software that hosts the WebBrowser ActiveX control could be affected by this vulnerability.

Further information is available in advisories by Thor Larholm (TL#002), GreyMagic Software (GM#001-AX), and Liu Die Yu (BadParent).

Impact

An attacker who is able to convince a user to access a specially crafted HTML document, such as an Internet web page or HTML email message, could execute arbitrary script in a different domain. When combined with cross-site scripting vulnerabilities in local HTML resources [VU#711843], the script could execute with privileges of the user in the security context of the Local Machine Zone. The script could read certain types of local files in known locations. In conjunction with other vulnerabilities (VU#626395, VU#25249), the script could execute arbitrary commands on the user’s system.
From MS03-004:

An attacker could use this vulnerability to create a web page that would allow the attacker to access data across domains. This could include reading local system files not in use by the user or the operating system, provided the attacker knew the full path and file name. It could also include accessing any data that a user chose to share with another web site.

In the worst case, this vulnerability could allow an attacker to load a malicious executable onto the system and execute it.

However, the attack would only be possible against a domain or zone where there was content that handled dialogue box data in a special manner. Pages like this exist in the My Computer zone, but may not necessarily exist on a target web site. [VU#711843]

---

Solution

Apply Patch

Apply Q810847 or a more recent cumulative patch. See Microsoft Security Bulletin MS03-004 for more information.

---

Disable Active scripting

Active scripting is required to open a modal dialog frame and populate dialogArguments. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer or the WebBrowser control to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ.
Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.

Update HTML Help

To protect against arbitrary command execution, install an updated version of HTML Help (811630). As described in Microsoft Security Bulletin MS03-015, the updated HHCtrl ActiveX control disables the Shortcut command in a compiled help file that has been opened with the showHelp method:

* _Only supported protocols [[http:](<http:>), __https:__, __file:__, __ftp:__, ms-its:, or mk:@MSITStore:] can be used with showHelp to open a web page or help (chm) file. _
* _The _[_shortcut_](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp>)_ function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API._

Note that the patches referenced in MS03-004 and MS03-015 completely disable the showHelp method. After installing either one of these patches, Internet Explorer will not be able to open help files.

Restrict HTML Help commands

Restrict the execution of the Shortcut and WinHelp HTML Help commands to specified folders, or disable the commands entirely. As in the previous recommendation, this technique will protect against arbitrary command execution via HTML Help. Details are available in Microsoft Knowledge Base Article 810687.

Vendor Information

728563

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: June 04, 2002 Updated: April 25, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletins MS02-023 and MS02-047 and MS03-004.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23728563 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.pivx.com/larholm/adv/TL002/default.htm&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0189&gt;
• <http://www.microsoft.com/technet/security/bulletin/MS02-023.asp&gt;
• <http://online.securityfocus.com/bid/4527&gt;
• <http://security.greymagic.com/adv/gm001-ax/&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0691&gt;
• <http://microsoft.com/technet/security/bulletin/MS02-047.asp&gt;
• <http://online.securityfocus.com/bid/5561&gt;
• <http://www.iss.net/security_center/static/9938.php&gt;
• <http://www16.brinkster.com/liudieyu/BadParent/BadParent-CONTENT.txt&gt;
• <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1326&gt;
• <http://microsoft.com/technet/security/bulletin/MS03-004.asp&gt;
• <http://www.securityfocus.com/bid/6205&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodaldialog.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmodelessdialog.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/doc_object.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/windows_frames_dialogs.asp&gt;
• <http://msdn.microsoft.com/workshop/author/om/windows_frames_dialogs.asp#sec_dialogs&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/dialogarguments.asp&gt;
• <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp#default_zones&gt;
• <http://support.microsoft.com/support/kb/articles/Q182/5/69.ASP&gt;
• <http://msdn.microsoft.com/workshop/browser/webbrowser/browser_control_ovw_entry.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemwebhttpresponseclassredirecttopic.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/iframe.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/properties/innerhtml.asp&gt;

Acknowledgements

Several variations of this vulnerability were publicly reported by Thor Larholm, GreyMagic Software, and Liu Die Yu.

This document was written by Art Manion and Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2002-0189
Severity Metric:	18.07 Date Public: