ie.css.txt

`  
Thor Larholm security advisory TL#002  
  
Topic: IE allows universal Cross Site Scripting.  
  
Discovery date: 18 March 2002.  
  
Affected applications:  
  
Any application that hosts the WebBrowser control (IE6+). Some of these  
are:  
* Microsoft Internet Explorer  
* Microsoft Outlook  
* Microsoft Outlook Express  
  
Severity: High  
  
Impact:  
Elevating privileges, hijacking the MSN Messenger client, running script  
in the My Computer zone, arbitrary command execution, etc.  
  
Introduction:  
Among its extensive functionality, IE employs a set of useful methods to  
display dialog windows. These, the showModalDialog and  
showModelessDialog methods, can transfer objects from the originating  
page to the page being displayed inside the dialog, by use of the  
dialogArguments property.  
  
Discussion:  
The dialogArguments property tries to prevent interaction between remote  
pages by comparing the location of the originating page and the dialog  
page.  
When opening a dialog window (e.g. res://shdoclc.dll/policyerror.htm)  
from another protocol, port or domain (e.g. http://jscript.dk), the  
validation code in IE will ensure that no objects are transferred, and  
no interaction is as such possible.  
When both pages are on the same protocol, port and domain, the  
validation code will allow interaction.  
Unfortunately, the validation code only checks the original URL instead  
of the final URL, and it is as such possible to bounce a HTTP redirect  
from the originating site to the desired dialog page that will allow  
interaction.  
  
It is worth noting that this is not in any way limited to the RES://  
protocol. The flawed dialogArguments property also allows interaction  
between different domains (e.g. YAHOO.COM to MICROSOFT.COM), different  
protocols (HTTP to HTTPS, HTTP to FILE, etc.) and different ports (port  
80 to port 21, port 80 to port 25, etc.)  
  
For the sake of demonstration, we take a look at shdoclc.dll which  
contains several resource in the HTML category, labeled POLICYERROR.HTM,  
POLICYLOOKING.HTM, POLICYNONE.HTM and POLICYSYNTAXERROR.HTM. These files  
contain the following script code:  
var site = window.parent.dialogArguments.url;  
  
function printSite()  
{  
document.write( site);  
}  
  
Exploit:  
<script>  
var sCode = '<'+'script>alert("This is running from: " + location.href);top.close  
()</'+'script>';  
window.showModalDialog("redirect.asp", {url:sCode})  
</script>  
  
Redirect.asp contains:  
<%@Language=Jscript%><%  
Response.Redirect("res://shdoclc.dll/policyerror.htm");  
%>  
  
Solution: (for MS)  
Fix the faulty validation routine in dialogArguments.  
Include input validation in resource files.  
Also, fixing the incomplete MS02-015 patch will ensure that this  
specific command execution vulnerability will not reoccur when the next  
CSS issue is uncovered.  
  
Solution: (for users)  
Disable scripting.  
  
Tested on:  
IE6sp1 Win2000 SP2, with all patches.  
IE6sp1 Windows 98, with all patches.  
IE6sp1 Windows 98 SE, with all patches.  
  
Demonstration:  
I have put together some proof-of-concept examples:  
* Simple static examples - Demonstratory fixed code  
* Advanced example - Input arbitrary script code  
* Hijacking MSN Messenger - An updated version of a previous bulletin  
* Executing arbitrary commands - How CodeBase was not fixed  
  
Vendor status:  
Microsoft was notified 18 March 2002 and were able to reproduce the  
issue consistently.  
They are currently (16 April 2002) investigating whether to address this  
in an upcoming cumulative patch.  
  
Feedback:  
  
Please mail any questions or comments to  
  
contact (at) jscript (dot) dk  
  
Links:  
  
CAN-2002-0189:  
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0189  
Cross Site Scripting:  
- http://www.cert.org/advisories/CA-2000-02.html  
Incomplete MS02-015 patch: (faulty as of April 13)  
- http://www.microsoft.com/technet/security/bulletin/MS02-015.asp  
MSN Messenger Hijacking:  
- http://tom.me.uk/msn/  
Unpatched IE vulnerabilities:  
- http://jscript.dk/unpatched/  
GM#001-AX Appendix to "IE allows universal Cross Site Scripting".  
- http://sec.greymagic.com/adv/gm001-ax/  
  
References:  
  
dialogArguments property:  
-  
http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/dia  
logarguments.asp  
showModalDialog method:  
-  
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmo  
daldialog.asp  
showModelessDialog method:  
-  
http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/showmo  
delessdialog.asp  
Insecure shdoclc.dll resource files:  
- POLICYERROR.HTM, POLICYLOOKING.HTM, POLICYNONE.HTM &  
POLICYSYNTAXERROR.HTM  
  
Revisions.  
  
16 April: Released.  
16 April: Added link to GM#001-AX Appendix to "IE allows universal Cross  
Site Scripting", detailing how IE5+ is also exploitable to a variation  
of this vulnerability.  
`