GreyMagic Security Advisory GM#011-IE ===================================== By GreyMagic Software, Israel. 15 Oct 2002. Available in HTML format at http://security.greymagic.com/adv/gm011-ie/. Topic: Internet Explorer : The D-Day. Discovery date: 26 Sep 2002. Affected applications: ====================== Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not vulnerable. Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (Outlook under the Internet zone, MSN Explorer, etc.). Introduction: ============= The <frame> and <iframe> elements may contain URLs in other domains or protocols, and therefore have strict security rules, which prevent frames in one domain to access content and information in another. Microsoft explains the issue in this Cross-Frame Scripting article - http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp. There are several ways to refer to an <iframe>'s (or <frame>) document in Internet Explorer (assuming <iframe id="oFrameId">): * oFrameId.document * document.all.oFrameId.contentWindow.document * frames.oFrameId.document * And others.. All these methods are handled correctly by Internet Explorer and prevent any attempt to access a document that originates from a foreign domain. Discussion: =========== The <iframe> and <frame> elements are really instances of the WebBrowser control supplied by Microsoft. The WebBrowser control exposes several potentially dangerous properties by default, which Microsoft overrides in Internet Explorer. However, Microsoft missed out on one important property -- "Document", with a capital "D". Normally, using "oElement.document" would provide a reference to the document that owns the current element. The same applies to the <frame> and <iframe> elements. However, we discovered that when "oIFrameElement.Document" is used, the returned document is the one contained inside the frame, and there are no security restrictions in place to check if it's in a different domain. This provides free and full access to the frame's Document Object Model, which allows an attacker to steal cookies from any site, gain access to content in sites (forging content), read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone). Both Internet Explorer 5.5 SP2 and Internet Explorer 6 are vulnerable, but surprisingly this vulnerability does not exist in IE6 SP1. It's hard to believe that Microsoft actually meant to plug it as IE5.5 remains vulnerable, yet somehow this stray property is now protected. Exploit: ======== This exploit demonstrates how an attacker may choose to read the client's "google.com" cookie. <script language="jscript"> onload=function () { // Timer necessary to prevent weird behavior in some conditions setTimeout( function () { alert(document.getElementById("oVictim").Document.cookie); }, 100 ); } </script> <iframe src="http://google.com" id="oVictim"></iframe> Solution: ========= Until a patch becomes available either disable Active Scripting or upgrade to IE6 SP1. Tested on: ========== IE5.5 Win98. IE5.5 NT4. IE6 Win98. IE6 Win2000. IE6 WinXP. Demonstration: ============== We put together four proof-of-concept demonstrations: * Simple: Reads the client's "google.com" cookie. * D-Day Console: Automatically load and execute commands on any site. * D-Day Reading: Read local files by accessing a res:// URL. * D-Day Execution: Execute arbitrary programs by accessing a res:// URL. They can all be found at http://security.greymagic.com/adv/gm011-ie/. Feedback: ========= Please mail any questions or comments to securityat_private - Copyright © 2002 GreyMagic Software.
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 11:17:11 PDT