Re: MSIE:"SaveRef" cracks "(VictimWindow).document.write"

From: jelmer (jelmerat_private)
Date: Mon Oct 21 2002 - 09:38:22 PDT

Next message: mattat_private: "fragrouter trojan"

Previous message: Joe Testa: "Reproducing the MS DCE-RPC DOS."
In reply to: Liu Die Yu: "MSIE:"SaveRef" cracks "(VictimWindow).document.write""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It throws a permission denied exception on my MSIE 6 SP1 + all patches in
place
MSIE 6.0.2600.0000 is way old

--
  jelmer




----- Original Message -----
From: "Liu Die Yu" <liudieyuinchinaat_private>
To: <bugtraqat_private>
Sent: Monday, October 21, 2002 4:16 PM
Subject: MSIE:"SaveRef" cracks "(VictimWindow).document.write"


>
>
> [title]MSIE:"SaveRef" cracks "(VictimWindow).document.write"
>
> [digest]
> MSIE: you can always call "(VictimWindow).document.write" regardless its
> zone if you have its reference.
> (please read "[more?]" section; i think it's important.)
>
> [tested]MSIEv6(CN version)
> {IEXPLORE.EXE file version: 6.0.2600.0000}
> {MSHTML.DLL file version: 6.00.2600.0000}
> Win98
>
> [demo]
> at
>
http://www16.brinkster.com/liudieyu/SaveRef_DocumentWrite/SaveRef_DocumentW
> rite-MyPage.htm
> or
> clik.to/liudieyu ==> SaveRef_DocumentWrite-MyPage section.
>
> [exp]
> save the reference of "(NewWindow).document.write" when the zone
> of "(NewWindow)" is yours. then you can call it via reference even if its
> zone is not yours.
>
> simple, that's all.
>
> [more?]
> i've read some doc about COM(Component Object Modal) at MSDN.
> MSDN says
> "The server is primarily responsible for security-that is, for the most
> part, the server determines whether it will provide a pointer to one of
> its objects to a client"
> (at "http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/com/comext_99df.asp")
> this causes "Georgi Guninski" 's "(victimWindow).document" SaveRef flaw. i
> guess the patch just plants a "security checker" in "window.document" .
>
> but method-SaveRef is not that easy to patch since there are so many
> methods in so many objects in so many APPLICATIONS(not only MSIE).
> "SaveRef" may end up turning M$ off? ;)
>
> i don't know. please tell me your opinion via email.
> (my physical work is all over,so reply in 24 hours)
>
> [contact]
> liudieyuinchinaat_private
> or
> clik.to/liudieyu ===> "how to contact liu die yu" section
>
>
>

Next message: mattat_private: "fragrouter trojan"
Previous message: Joe Testa: "Reproducing the MS DCE-RPC DOS."
In reply to: Liu Die Yu: "MSIE:"SaveRef" cracks "(VictimWindow).document.write""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 14:43:36 PDT