lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <653D74053BA6F54A81ED83DCF969DF0815C25D@pivxes1.pivx.com>
From: tlarholm at pivx.com (Thor Larholm)
Subject: RE: MSIE Similar Method Name Redirection Cross Site/Zone Scripting    Vulnerability

Nice find :)

The problem does not rely on similarly named methods, rather it relies
on the trust access checks that IE performs on function calls in
disparate windows. 

When you try to alert each of the assign methods in your example their
core toString methods are called which return a static string, however
this is not used for comparison as each assign method still has their
own unique internal ID. Instead, IE tries to determine whether the
function call is safe based on the level of trust it has to the object
that the method resides on. Your approach enables a range of method
caching vulnerabilities by circumventing the object security check.

This can be demonstrated by creating a cached reference to the
location.assign method from the first window on the second windows
location object, not just on the location.assign method but also on the
location.replace method and the non-existant location.whatever property.
I have added such a demo at

http://www.pivx.com/research/2004/7/PaulsimilarMethodNameRedirection/tes
t2.html



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>

 

-----Original Message-----
From: Paul [mailto:paul@...yhats.cjb.net] 
Sent: Sunday, July 11, 2004 8:34 AM
To: bugtraq@...urityfocus.com
Subject: MSIE Similar Method Name Redirection Cross Site/Zone Scripting
Vulnerability



Note: This vulnerability and many more can be found at
http://www.greyhats.cjb.net



SimliarMethodNameRedir

Automatic Remote Compromise



[Tested]

IEXPLORE.EXE file version 6.0.2800.1106

MSHTML.DLL file version 6.00.2800.1400

Microsoft Windows XP sp2 



[Discussion]

At first I thought this vulnerability had something to do with method
caching. It doesn't. It has to do with the security check that internet
explorer has in place. Apparently, if a function is redirected to a
function with the same name, it can be called without security
restrictions. If you want to see what I mean, try this:



&lt;script&gt;

var var1=location.assign;

alert("Assign function of the current window:\n"+var1);

var w=window.open("about:blank","_blank");

var var2=w.location.assign;

var w=alert("Assign function of the new window:\n"+var2);

w.close();

&lt;/script&gt;





You should get two alerts describing the assign() function as being



function assign(){

[Native code]

}



Notice both functions appear to be the same. My guess is that Internet
Explorer checks the two function names and (maybe) the function code. If
it matches, Internet Explorer marks the function as safe. It doesn't,
however, take into account cross-window function calls. That's why
SimilarMethodNameRedir works. 



How bad is this problem? Critical. With minimal effort, a malicious
website owner could install viruses or spyware on the visitor's
computer. Because theoretically this should work with every function,
the only way that I can think of to fix the problem is to rewrite the
whole function security check that internet explorer has in place. The
best way to prevent this vulnerability is to either disable active
scripting or switch to a different browser ;). 



The example goes to google.com and executes javascript that displays a
messagebox with the location.href and the document.cookie attributes of
the window object. 



[Example]

http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ