lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4148C9E6.6090001@free.fr>
Date: Thu, 16 Sep 2004 01:01:58 +0200
From: cns <cns@...e.fr>
To: bugtraq@...urityfocus.com
Subject: IE6 + XP SP2 Vulnerability


Background information
======================

Windows XP Service Pack 2 has introduced new features that improve
browsing security in Internet Explorer. Most of them are additional
messages that force the user to validate everything that is done by the
browser.  Most of these messages are displayed in the new Information
Bar. For example if you try to open a web page that contains Javascript
code or ActiveX objects, it is likely that they will be blocked, the
Information Bar will appear and offer you to reload the page with the
untrustworthy components enabled.

More information can be found at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

The side effect of these features is that some web sites can't be used
as easily as before because the user has to respond to an increasing
number of notifications and questions.


Vulnerability Explained
=======================

As an example I created a simple XHTML document containing MathML and
installed the MathPlayer ActiveX plugin from DesignScience
(http://www.dessci.com/en).
This type of document used to render correctly in IE6 but since SP2 was
installed the new features interfere with the loading of the component :
the page is first loaded without MathPlayer which has to be enabled via
the Information Bar.

But there seems to be a vulnerability in Internet Explorer that allows
this protection to be bypassed. All that needs to be done is to add a
fake comment between the DOCTYPE declaration and the <html> tag that
mimics those added by IE when a page is saved to disk. The "fake"
comments must be formatted as follows :

<!-- saved from usr=(XXXX)URL -->

where URL is to be replaced by an URL
(for instance http://www.example.com/)
and XXXX by a 4 digit integer that represents the number
of characters in the URL (for instance 0023).


System Affected
===============

Windows XP Pro and Home editions with SP2
IE 6.0 (SP2)


How to reproduce
================

Install the plugin from DesignScience. Paste the following text in a
file with an .xml extension. Open it with IE with and without the
comment on line 4.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN"
                "http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd">
<!-- saved from url=(0023)http://www.example.com/ -->
<html xmlns="http://www.w3.org/1999/xhtml">
<HEAD>
<TITLE>IE Vulnerability example</TITLE>
<BODY>
<math displaystyle="true" xmlns="&mathml;">
<mfrac>
<mn>27</mn>
<mn>12</mn>
</mfrac>
</math>
</BODY></HTML>


Remarks
=======

This also works with pages containing Javascript code.


-- 
Cyrille SZYMANSKI


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ