SecurityTracker.com Archives - (Patch Reportedly Does Not Fully Fix the Flaw) Re: Microsoft Internet Explorer Browser Security Zone Flaw Lets Remote Users Cause Cookie-based Scripts to Be Executed on Another User's Browser in the Incorrect Security Dom ...

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Web Browser) > Internet Explorer (IE)

Vendors: Microsoft

(Patch Reportedly Does Not Fully Fix the Flaw) Re: Microsoft Internet Explorer Browser Security Zone Flaw Lets Remote Users Cause Cookie-based Scripts to Be Executed on Another User's Browser in the Incorrect Security Domain

Date: Apr 3 2002

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 5.01, 5.5, 6.0

Description: Microsoft reported a vulnerability in the Internet Explorer (IE) web browser. A remote user could cause a malicious script embedded within a cookie to be executed on another user's browser. The script would be (incorrectly) executed in the local security zone.

In the original alert, it was reported that IE incorrectly allows scripts embedded within cookies to be run in the Local Computer zone rather than the same zone as the web site with which the cookie is associated. A remote user could reportedly place a malicious script in a cookie that would be saved to another user's hard disk (when the other user visits a malicious web site). When the cookie is opened by the malicious site, the script would then be executed in the Local Computer zone. The Local Computer zone may have fewer restrictions than other security zones.

The vendor has issued patches for this vulnerability. However, it is reported that the patches do not fully correct the underlying flaw. A remote user can cause a target user to execute code contained in a 'favorite' URL if the remote user can get the target user to add a particular URL as a 'favorite' (i.e., bookmark). The executed code will run in the Local security zone.

A remote user can also reportedly exploit the flaw using Winamp, if Winamp is installed. In a similar manner as described with the 'favorites' above, a remote user could inject HTML code with active scripting into the 'artist' or 'title' fields of an MP3. Then, because Winamp stores the artist and title information in the Winamp playlist, if the target user opens the maliciously titled MP3 file using Winamp, the playlist code will be executed and run in the Local security zone.

Impact: A remote user could cause arbitrary script code to be executed on another user's browser when the other user visits the remote user's malicious web site. The script would incorrectly run in the Local Computer context with the privileges of the target (victim) user.

Solution: The vendor has released patches (see the Message History for the original alert containing the patch information). However, it is reported that these patches do not fully fix the flaw (as discussed in the 'Description' section).

Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-015.asp (Links to External Site)

Cause: Access control error, State error

Underlying OS: Windows (Any)

Reported By: Andreas Sandblad <sandblad@acc.umu.se>

Message History: This archive entry is a follow-up to the message listed below.

Mar 29 2002

Microsoft Internet Explorer Browser Security Zone Flaw Lets Remote Users Cause Cookie-based Scripts to Be Executed on Another User's Browser in the Incorrect Security Domain

Source Message Contents

Date: Sat, 30 Mar 2002 16:34:50 +0100 (CET)
From: Andreas Sandblad <sandblad@acc.umu.se>
Subject: IE: Remote webpage can script in local zone

 

---..---..---..---..---..---..---..---..---..---..---..---..---
Title:    IE: Remote webpage can script in local zone.
Date:     [2002-03-30], Microsoft received information about
          the bug over a month ago (17/2-02).
Software: Internet Explorer 6.0, 5.5, 5.01
Rating:   Critical (according to Microsoft)
Patch:    Microsoft released a patch 28 march,     _     _
          "Microsoft Security Bulletin MS02-015" o' \,=./ `o
Author:   Andreas Sandblad, sandblad@acc.umu.se     (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--

The patch Microsoft made available only solve part of the issues I
reported to them, therefor the details in this report will be very
limited. When Microsoft release their next patch fixing the rest of the
issues, you will get full disclosure.

::: DESCRIPTION :::
In order for IE to parse a local file as a html document the filename
extension must be associated with html documents (normally .htm and
.html). Also the file cannot be binary. This is good security because
several types of userdata is stored in local files (cookies,
favorites/bookmarks, application userdata etc). The problem is that IE can
be tricked into thinking that any non binary local file is a html
document.

::: ATTACK :::
The Cookie attack:
A cookie containing html code is set on the user's system. Using the trick
we can make IE loading the cookie file as a html document. Once loaded it
will operate in the local zone.

The favorite/bookmark attack:
Assume an user accept to add a favorite/bookmark. If we placed html code
in the favorite's url, we can then load the favorite file in the same way
as in the cookie attack. The file will be operating in the local zone.

Winamp attack (if Winamp is installed):
Winamp stores current playlist in "c:/program files/winamp/winamp.m3u".
The playlist will contain artist name and song title. If we inject html
code in the artist/title of a mp3 file that is loaded remotely, the new
playlist file will be saved together with html code. Using the trick the
local playlist file can be loaded and operate in the local zone. Since the
playlist file will contain the exact path to the "temporarily internet
folder", we can using the old ".chm helpfile attack" run arbitrary code.

::: ABOUT THE PATCH :::
The patch released by Microsoft doesn't adress the actual problem, because
it simply disallow local files in the cookie directory to script in the
local zone. It doesn't take care of the issue that IE can be tricked to
parse any non binary file as html document.

So here is what we still can do:
- the favorite/bookmark attack.
- the Winamp attack if Winamp is installed.
- use the cookie attack to read other cookie files, thus retreiving the
content of other cookies.

                                                   _     _
                                                 o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/-

Greetings: Sophie, Johan, Tobbe, MrKvant, MackanB, Hawkan,
           Ingesson, Batman, Iceman, CM, Banjo, Dj28, Tys0n,
           Cc-opers, Pink Caravan...

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC