RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug

From: Dawes, Rogan (ZA - Johannesburg) (rdawesat_private)
Date: Wed Dec 19 2001 - 23:48:35 PST

Next message: Peter Mell: "Recent Advances in Intrusion Detection Symposium"

Previous message: Marc Maiffret: "Multiple Remote Windows XP/ME/98 Vulnerabilities"
Next in thread: Siddik, Syaefullah: "RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Affects latest 5.5 SP2 patched version on Win2k as well.

PLUS, if you use an "https://" URL, it also shows THAT in the location bar.

Naturally, there are no SSL indicators (padlock, Secure properties, etc). 

For the paranoid among us (i.e. you have the alerts turned on), IE DOES warn
that you are entering and then LEAVING a secure session, but the fact
remains that the Location field shows "https://"

Ooops!

It doesn't seem to work for documents containing frames, however. 

And you can get the logo to stop spinning by doing the document.close inside
the timeout call. (If you look at the source of the spoofed page demo,
you'll see what I mean.)

Rogan


> -----Original Message-----
> From: the Pull [mailto:osioniusxat_private]
> Sent: 20 December 2001 01:59
> To: bugtraqat_private
> Subject: Internet Explorer Document.Open() Without Close() Cookie
> Stealing, File Reading, Site Spoofing Bug
> 
> 
> Class: Failure to Handle Exceptional Conditions
> Remote: Yes
> Local: Yes
> Found: December 19, 2001
> Severity: High
> Vulnerable: IE 6.0.2600.0000
> + Windows 2000 Update Versions: Q312461; Q240308;
> Q313675
> 
> 
> 
> 
> Discussion: By simply using the document.open method
> and not using the document.close method you are able
> to: steal cookies; read local files that are parsable
> by IE(mime type text/html to be exact); and spoof
> sites.
> 
> Exploits: http://www.osioniusx.com
> 
> "cookieStealing.html" - This opens Yahoo.com and
> steals the cookie.
> "FileReading.html" - This opens up C:\test.txt and
> then reads it.
> "SiteSpoofing.html" - This spoofs www.chase.com  --
> chase.com is in the url, the title, and there is a
> link on the page to log on to your account which comes
> back to www.osioniusx.com.
> 
> 
> Potential Solution: Fix required on document.open
> method.
> 
> Vendor Status: Emailed to "Secureat_private". 
> 
> 
>  
> 
>  
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
>

Next message: Peter Mell: "Recent Advances in Intrusion Detection Symposium"
Previous message: Marc Maiffret: "Multiple Remote Windows XP/ME/98 Vulnerabilities"
Next in thread: Siddik, Syaefullah: "RE: Internet Explorer Document.Open() Without Close() Cookie Stea ling, File Reading, Site Spoofing Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 14:24:30 PST