Microsoft IE clipboardData Object Caching Cross-domain Policy Bypass

2002-10-04T00:00:00
ID OSVDB:2986
Type osvdb
Reporter OSVDB
Modified 2002-10-04T00:00:00

Description

Vulnerability Description

Microsoft Internet Explorer contains a flaw that may allow a remote attacker to execute malicious JavaScript in restricted domains. The issue is caused when two windows communicate and the security checks that ensure both pages are in the same security zone/domain wrongly assume that certain cached objects are only called through their respective window. This incorrect assumption allows the remote attacker to provide interoperability between seperate documents. This would allow the attacker to gain access site content, steal cookies, read files from the local machine or execute program's on the victim computer.

Technical Description

Each item in the list below consists of three parts, "Cache" shows how to cache the vulnerable object, "Exploit" shows how the vulnerability works in context and "Impact" details the implications of the vulnerability.

clipboardData

Cache: var oVuln=oWin.clipboardData; Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data"); Impact: Read/write access to the clipboard, regardless of settings.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Internet Explorer contains a flaw that may allow a remote attacker to execute malicious JavaScript in restricted domains. The issue is caused when two windows communicate and the security checks that ensure both pages are in the same security zone/domain wrongly assume that certain cached objects are only called through their respective window. This incorrect assumption allows the remote attacker to provide interoperability between seperate documents. This would allow the attacker to gain access site content, steal cookies, read files from the local machine or execute program's on the victim computer.

References:

Microsoft Security Bulletin: MS03-015 Keyword: aka "Cross Domain Verification via Cached Methods." ISS X-Force ID: 10440 Generic Informational URL: http://sec.greymagic.com/adv/gm012-ie/ CVE-2002-1254 Bugtraq ID: 6028