Microsoft Edge allows remote attackers to bypass the Same Origin Policy(CVE-2017-0002)

ID SSV:92801
Type seebug
Reporter Root
Modified 2017-03-20T00:00:00


Original link: UXSS on Microsoft Edge – Adventures in a Domainless World without domain big World Adventure

Original author: Manuel Caballero

Translation: Holic (know Chong Yu 404 security lab)

Note: the associated file can be downloaded here in.

Today, we discuss the design of problems, with these problems, we end up in a Microsoft Edge on the browser to achieve a universal cross-site scripting attacks UXSS in. If you're not a security researcher, but still want to understand this vulnerability, you can be understood: visiting a malicious webpage, the attacker can read your Cookies, change the client's web content, to obtain personal information. In addition, since the Microsoft Edge using the protected internal resources to perform a special operation, the attacker may access these resources, and may set Edge configure options, open IE, etc.

We have a video show up for a bing cookie attack, another section of the video display content. But please remember, these website itself without any problems and the vulnerability from the Microsoft Edge browser. Below we'll look at how this is done.

Domainless World

about:blank is a very special URL, sometimes make people feel confused, don't know belong to where. Think about it: if we are located document. the domain is clearly but about:blank domain belong to? This is subject to availability. In theory, it should match the referrer domain, i.e., set its URL to the web page. For example, if we are in the click an about:blank link, then the about:blank will be as its domain.

Another example is an iframe, its source is pointing to about:blank, or no source, the browser defaults to about:blank to.

So, from load the about:blank look and from loaded almost, because the two URL are the same, but they have a different document. domain, so that between them can not access each other

Then the question came: we manually enter into the address bar of the about:blank domain? Want is this! The answer is so important, so I put the Devtools magnified look.

Is empty, as we have seen, it has great power, but in order to ensure that we are on the same page, we call the one without a domain“free domain name”the domainless and“domain”domained URL, a link to a document. the domain of the website.

Bug hunter, the present article the following is the important stuff.

“A domainless about:blank is capable of accessing any domained about:blank”

Without a domain of about:blank to be able to access any domain of about:blank)

In other words, a domain of about:blank can be unlimited access to a domain of about:blank. We are here to cut corners, directly in the Debug console operation, to quickly add a iframe to this page.

javascript document. body. innerHTML = '<iframe src=""></iframe>'

Very good! We are in the top-level free domain blank has a of the frame, but our goal is to find bing in a blank iframe, as I said, a free domain blank (main windows will be able to access any domain in the blank( in the iframe it.

This case is very easy to achieve, because we use the already have a blank iframe. But let us continue to give it a try! Even from the debugger, the following this instruction is usually denied access, but due to the page top is no domain, it can be run. So let's check it out now!

javascript window[0][0]. location. href = "javascript:alert(parent. document. domain)";

Bang on! I know it's not going deep into your mind, because we are from the DevTool to get the results, right? But for me, this is what I do the most important thing, because if we can master this one concept, the next found new UXSS will to some extent ease a lot. From now on, each find a way to access non-domain blank of the method is about:blank, but we can also use the other, we will get a UXSS in. Now is to use the DevTools, and I wanted to make sure we know exactly what the are doing, of course, we don't need DevTools to.

Independent of PoC, without the DevTools

Now to the real thing. We need to find a way to create a Can from a normal web page access to non-domain site, the faster method is to use a data: URI instead of about:blank. Similarly, at least the Protocol is different. And if we are in an iframe inside loading a data: URI, then its domain will be other references to the same domain as we are in the beginning to see the about:blank, and if you try to top load the data:uri of the data, the Edge will reject sending us to the wrong page.

However, we have a few tips that can be done to get free domain Data data:uri, now let us explore the Flash version of the PoC, because it and its simple. In fact, I since 2005 have been using this Flash, it only set up the one from the query string of the URL, hurry up and use it!

<iframe src="geturl. swf? target=_top&redir=data:,[html/script goes here]"></iframe> See? Only will you want to load the URL added to the redir parameter. In this case, we use a data:uri and load it in the absence of domain of the top layer. In addition, in order to deceive the Edge of the browser, we need the iframe inside the loaded swf, otherwise it will not achieve the effect of the error page. You can yourself try it.

By the way, don't forget we can find to achieve the same effects of the alternatives. I just use it because it is the first to be found, Adobe people may be the data:uri blacklisted in order to help my @Edge friends to get rid of this bug. However, there are many ways to achieve the same thing without the need of flash file. Submit your own ideas, find your own way!

OK, now we are in the free domain of the window, we can inject a pointer to the the iframe, but the Edge is not properly rendering the page elements of the state. If we try to use the createElement/insertAdjacentHtml/etc it will not take effect. I mean, Edge would draw a“death”of the iframe, just like there is no engine in the car is the same: it simply can not run properly. In order to solve this problem, we use the document. write write itself, force the browser to be rendered again. And because we are in the free domain of the URL, document. write will make us completely on the same address/domain.

JavaScript document. write('<iframe src=""></iframe>');

Perfect! Now we can access bing blank iframe, but remember we are relatively lucky, because not all of the sites inside will have “free blank iframes”in.

javascript window[0][0]. location. href = "javascript:alert(parent. document. cookie)";

MS Edge line of the PoC in this

I'm very excited, this time in the absence of the DevTools case of the use of force. Oh, no, I know what you're thinking, suspicious of the bug hunter:Bing in vain gives us a pair of empty iframe, which is too simple! Yes, but I'm just a little celebration! From now on I will call you killjoy! No longer is a “bug hunter”in.

We continue, killjoy is. I know the site does not like giving us an empty iframe idea, so we need to find their own way.

Owning non-cooperative sites

Take down non-cooperative site

Think about it, we in a second step, the top layer is no domain of the data: while our iframe to render correctly, but the point instead because nature has a non-iframe one. If we try to change the iframe address, the Edge will refuse to open a new window. In other words, this thing is invalid.

javascript // We are inside a domainless data: so Edge will open a new // window instead of changing nature-iframe's location window[0][0]. location. href = "about:blank";

This will not take effect. Also it can be bypassed, but I have enough to try. This is in no domain of problems that occur, so we can open the one with the real URL of the new window, and then from there and then processed. This is exactly what we will do:

  1. Open a the iframe in the new window. [Now we in the new window inside with a conventional URL]
  2. The nature inside the iframe address is changed to about:blank, so we can give it a name. Yes, we want the iframe has a name.
  3. The name is set to about:blank, then we non-domain opener on the CAN by the window. open access to it. Don't forget we are now within the window there is a regular URL, it is our strong opener is. We will show this iframe named, like this: window. name = "DAVID_COPPERFIELD" to commemorate the continue with a passion to learn the magician.
  4. Now we should be about:blank that are part of our domain, the address is set to the nature of the address. To this end, we will use the meta-refresh will change the address to about:blank. Breeze. This technique to ensure that about:blank is restored to its parent domain of the domain.
  5. Let the opener know when you are ready, so it can be accessed, like so: window. open(“javascript:alert(document. domain)”, “DAVID_COPPERFIELD”);

MS Edge line of the PoC in this

To enjoy again, but this time in the house cheered. Yes! Opsss, my wife asked what I found. She understood those screams mean something.

killjoy, Sir, we did. PoC is interactive, so we can know in real time what we're doing, but please read the Code of the specific details, I'm sure there is room for improvement. If you presented these ideas, then you will probably be found to be able to achieve something similar to the workaround. Study, learn, learn! Very interesting.

In no Flash situations, you can find your own method of setting the non-domain URL? Yes, you can. In addition, as long as we're here to discuss code, we can create a variety of UXSS scene, such as in the iframe to access its top. That possible? Suppose that I is by the Facebook presentation of the banner ads. Can visit our the top, and get like the user's friends list such things? Of course! Access is not like in the framework presented in the XFO site? the iframe is only capable of rendering HTML elements? Finally, the completely no iframe site and what to do? I give you the assurance that we are even able to contact to compile the code. Sit down and explore yourself**Here are the files you need **to.

Have a nice day! Manuel.