IE: Remote webpage can script in local zone

From: Andreas Sandblad (sandbladat_private)
Date: Sat Mar 30 2002 - 07:34:50 PST

Next message: Phil: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"

Previous message: Christophe Casalegno: "Re: IRIX FTP Bounce vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---..---..---..---..---..---..---..---..---..---..---..---..---
Title:    IE: Remote webpage can script in local zone.
Date:     [2002-03-30], Microsoft received information about
          the bug over a month ago (17/2-02).
Software: Internet Explorer 6.0, 5.5, 5.01
Rating:   Critical (according to Microsoft)
Patch:    Microsoft released a patch 28 march,     _     _
          "Microsoft Security Bulletin MS02-015" o' \,=./ `o
Author:   Andreas Sandblad, sandbladat_private     (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--

The patch Microsoft made available only solve part of the issues I
reported to them, therefor the details in this report will be very
limited. When Microsoft release their next patch fixing the rest of the
issues, you will get full disclosure.

::: DESCRIPTION :::
In order for IE to parse a local file as a html document the filename
extension must be associated with html documents (normally .htm and
.html). Also the file cannot be binary. This is good security because
several types of userdata is stored in local files (cookies,
favorites/bookmarks, application userdata etc). The problem is that IE can
be tricked into thinking that any non binary local file is a html
document.

::: ATTACK :::
The Cookie attack:
A cookie containing html code is set on the user's system. Using the trick
we can make IE loading the cookie file as a html document. Once loaded it
will operate in the local zone.

The favorite/bookmark attack:
Assume an user accept to add a favorite/bookmark. If we placed html code
in the favorite's url, we can then load the favorite file in the same way
as in the cookie attack. The file will be operating in the local zone.

Winamp attack (if Winamp is installed):
Winamp stores current playlist in "c:/program files/winamp/winamp.m3u".
The playlist will contain artist name and song title. If we inject html
code in the artist/title of a mp3 file that is loaded remotely, the new
playlist file will be saved together with html code. Using the trick the
local playlist file can be loaded and operate in the local zone. Since the
playlist file will contain the exact path to the "temporarily internet
folder", we can using the old ".chm helpfile attack" run arbitrary code.

::: ABOUT THE PATCH :::
The patch released by Microsoft doesn't adress the actual problem, because
it simply disallow local files in the cookie directory to script in the
local zone. It doesn't take care of the issue that IE can be tricked to
parse any non binary file as html document.

So here is what we still can do:
- the favorite/bookmark attack.
- the Winamp attack if Winamp is installed.
- use the cookie attack to read other cookie files, thus retreiving the
content of other cookies.

                                                   _     _
                                                 o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/-

Greetings: Sophie, Johan, Tobbe, MrKvant, MackanB, Hawkan,
           Ingesson, Batman, Iceman, CM, Banjo, Dj28, Tys0n,
           Cc-opers, Pink Caravan...

Next message: Phil: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Previous message: Christophe Casalegno: "Re: IRIX FTP Bounce vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 22:28:58 PST