Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
|
|
SecurityTracker Alert ID: 1010679 |
|
SecurityTracker URL: http://securitytracker.com/id/1010679
|
|
CVE Reference:
CAN-2004-0839, CAN-2004-0841
(Links to External Site)
|
Updated: Sep 14 2004
|
Original Entry Date: Jul 12 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 6; Tested on 6.0.2800.1106
|
Description:
A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.
Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system [CVE: CAN-2004-0841].
A demonstration exploit is available at:
http://freehost07.websamba.com/greyhats/hijackclick3.htm
http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.
Some demonstration exploit code is provided:
<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>
location="shell:favorites\\greyhat[1].htm"
A demonstration exploit is available at:
http://www.malware.com/paul.html
On August 18, 2004, http-equiv provided an additional exploit example [CVE: CAN-2004-0839], available at:
http://www.malware.com/wottapoop.html
When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.
|
Impact:
A remote user can create HTML that will execute mouse-click actions on the target user's computer.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 11 Jul 2004 15:53:15 -0000
Subject: HijackClick 3
|
Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net
HijackClick 3!!!
Took the name from Liu Die Yu :)
[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2
[Discussion]
The HijackClick series have been used to force a drag and drop event simply from the user clicking a something. This is done by moving
the window when onmousedown fires. Previously, window.moveBy/To has been used. This has been patched. Apparently, window.resizeBy/To
would work too because it gives access denied if it tries to execute when onmousedown fires. Microsoft just disabled those functions
from being called when the mouse button is down and called it patched. No more hijackclick, right?
Wrong.
Popup.show() allows you to show a popup with desired left, top, height, and width values. The show() function doesnt give access denied
when we call it on mousedown. Let's try it with a link on a popup. I'll make show() move the popup off the screen. Does it work?
Yes, it changes the cursor. Good. A drag event just took place. With a little fine-tuning, we can make it show the popup on loading
of the main window, move the popup and show a favorites list on mousedown, and set a timer to hide the favorites list and taunt the
victim who just got tricked into adding a link of our choice to their favorites list :).
[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm
And when you patch this one, Microsoft, please remember to patch the show() function method cache part, too. You don't want HijackClick4,
do you? ;)
|
|
