Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6

from [tim tompkins] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting
Date: Thu, 22 Sep 2005 20:28:49 -0700
I discovered something similar recently, though, where a *valid* jpg containing an XML header was issued to IE (via a direct link to the image) with a content-type of application/octet-stream and IE attempted to render the XML rather than rendering the image (or prompting for an action by the user, which is what I was going for). IE subsequently issued an error indicating that it was unable to render the XML page (although it was a jpeg image with a .jpg extension).

While this may not be a direct threat if the server is sending the correct content-type, it could be a threat otherwise. This, being untested speculation, would require testing to see exactly what you can get IE to do with embedded code.


Regards,
Tim Tompkins



Brion Vibber wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Ruef wrote:
| III. EXPLOITATION
|
| The following proof-of-concept has been published in the articles "Wie
| mit GIF-Bildern Cross Site Scripting-Angriffe im Internet Explorer
| umgesetzt werden können" in scip monthly Security Summary Issue 19.
| September 2005 (pp. 12-14)[1] and "GIF-Bug im Internet Explorer 6 -
| Proof of Concept" at computec.ch[2]:
|
|     01 <GIF89aŸ 8 ÷™fÿ™™>

The reason that this works in this case is that this is *not* a GIF
header; GIF headers do not begin with "<". It is well known that IE will
interpret files as HTML that contain certain HTML tags if a another type
detection doesn't override it.

For Microsoft's vague documentation on this process, see:
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp 


If you remove the "<" at the beginning, then IE will detect the GIF
signature, overriding its HTML detection, and show a 'broken image' icon
with no interpretation of JavaScript.

(Tested MSIE 6.0.2900.2180.xpsp_sp2)

However the advice is good; as a general rule sites accepting uploads
should validate them as carefully as possible, as IE may not recognize
all file types properly. Invalid image file headers and HTML-like tags
near the start of a file should be considered suspicious.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDMyh1wRnhpk1wk44RAtoDAJ9QIJbNMXro7z3pFCzXuOy1Oz10gACfZxTd
OSITbHzoYn+T8Ozq0d6ZfQ4=
=Gm+c
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Re: Av, spyware, ddl trojan assesment, Nick FitzGerald
Next by Date:  [Full-disclosure] Secunia Research: 7-Zip ARJ Archive Handling Buffer Overflow, Secunia Research
Previous by Thread:  Re: [Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting, Brion Vibber
Next by Thread:  My Little Forum 1.5 / 1.6beta SQL Injection, retrogod
Indexes:  [Date] [Thread] [Top] [All Lists]