lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 4 Feb 2015 23:46:19 +0000
From: Zaakiy Siddiqui <zaakiy@...con.com.au>
To: David Leo <david.leo@...sen.co.uk>, Joey Fowler <joey@...blr.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
	"bugs@...uritytracker.com" <bugs@...uritytracker.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

Hi David,

Nice one…great find!  And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions.

I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11).

I can also confirm that IE 10 is affected.

IE 9 appears to not be vulnerable. Screenshots below.

Regards,
Zaakiy Siddiqui


IE 11 Spartan - vulnerable (Windows 10)

[cid:Image1466.png@...56f08dd75bb]

[cid:Image1487.png@...56f6487b5d0]


IE 10 - vulnerable (Windows 7)
[cid:Image1485.jpg@...56f5f5025ce]

IE 9 - not vulnerable (Windows 7)

[cid:Image1503.jpg@...56fa3c785e0]


From: David Leo<mailto:david.leo@...sen.co.uk>
Sent: ‎Wednesday‎, ‎4‎ ‎February‎ ‎2015 ‎11‎:‎13‎ ‎PM
To: Joey Fowler<mailto:joey@...blr.com>
Cc: bugtraq@...urityfocus.com<mailto:bugtraq@...urityfocus.com>, fulldisclosure@...lists.org<mailto:fulldisclosure@...lists.org>, bugs@...uritytracker.com<mailto:bugs@...uritytracker.com>, cve-assign@...re.org<mailto:cve-assign@...re.org>

Microsoft was notified on Oct 13, 2014.

Joey thank you very much for your words.

Kind Regards,

On 2015/2/3 4:53, Joey Fowler wrote:
> Hi David,
>
> "nice" is an understatement here.
>
> I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
>
> As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is).
>
> It looks like, through this method, all viable XSS tactics are open!
>
> Nice find!
>
> Has this been reported to Microsoft outside (or within) this thread?
>
> --
> Joey Fowler
> Senior Security Engineer, Tumblr
>
>
>
> On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo@...sen.co.uk <mailto:david.leo@...sen.co.uk>> wrote:
>
>     Deusen just published code and description here:
>     http://www.deusen.co.uk/items/__insider3show.3362009741042107/ <http://www.deusen.co.uk/items/insider3show.3362009741042107/>
>     which demonstrates the serious security issue.
>
>     Summary
>     An Internet Explorer vulnerability is shown here:
>     Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain.
>
>     How To Use
>     1. Close the popup window("confirm" dialog) after three seconds.
>     2. Click "Go".
>     3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>.
>
>     Technical Details
>     Vulnerability: Universal Cross Site Scripting(XSS)
>     Impact: Same Origin Policy(SOP) is completely bypassed
>     Attack: Attackers can steal anything from another domain, and inject anything into another domain
>     Tested: Jan/29/2015 Internet Explorer 11 Windows 7
>
>     If you like it, please reply "nice".
>
>     Kind Regards,
>
>
>     _________________________________________________
>     Sent through the Full Disclosure mailing list
>     https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure>
>     Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/>
>


Download attachment "Image1466.png" of type "image/png" (150590 bytes)

Download attachment "Image1485.jpg" of type "image/jpeg" (33407 bytes)

Download attachment "Image1487.png" of type "image/png" (25325 bytes)

Download attachment "Image1503.jpg" of type "image/jpeg" (85741 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ