lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 11 Jul 2004 15:33:53 -0000
From: Paul <paul@...yhats.cjb.net>
To: bugtraq@...urityfocus.com
Subject: MSIE Similar Method Name Redirection Cross Site/Zone Scripting
    Vulnerability




Note: This vulnerability and many more can be found at http://www.greyhats.cjb.net

SimliarMethodNameRedir
Automatic Remote Compromise

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
At first I thought this vulnerability had something to do with method caching. It doesn't. It has to do with the security check that internet explorer has in place. Apparently, if a function is redirected to a function with the same name, it can be called without security restrictions. If you want to see what I mean, try this:

&lt;script&gt;
var var1=location.assign;
alert("Assign function of the current window:\n"+var1);
var w=window.open("about:blank","_blank");
var var2=w.location.assign;
var w=alert("Assign function of the new window:\n"+var2);
w.close();
&lt;/script&gt;


You should get two alerts describing the assign() function as being

function assign(){
[Native code]
}

Notice both functions appear to be the same. My guess is that Internet Explorer checks the two function names and (maybe) the function code. If it matches, Internet Explorer marks the function as safe. It doesn't, however, take into account cross-window function calls. That's why SimilarMethodNameRedir works. 

How bad is this problem? Critical. With minimal effort, a malicious website owner could install viruses or spyware on the visitor's computer. Because theoretically this should work with every function, the only way that I can think of to fix the problem is to rewrite the whole function security check that internet explorer has in place. The best way to prevent this vulnerability is to either disable active scripting or switch to a different browser ;). 

The example goes to google.com and executes javascript that displays a messagebox with the location.href and the document.cookie attributes of the window object. 

[Example]
http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ