Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 e

from [Marc Ruef] Network Security [Permanent Link]
Subject: [Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting
Date: Thu, 22 Sep 2005 20:30:38 +0200 
Microsoft Internet Explorer 6.0 embedded content cross site scripting

scip AG Vulnerability ID 1746 (09/22/2005)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746

I. INTRODUCTION

Microsoft Internet Explorer is since many years the most popular web
browser. The main reason for this popularity is the default use in the
latest releases of the Microsoft Windows operating system series.

More Information are available at the official Microsoft Internet
Explorer web site:

    http://www.microsoft.com/windows/ie/

II. DESCRIPTION

Sven Vetsch found a cross site scripting vulnerability in the current
releases of Microsoft Internet Explorer. Thus, it is possible to use a
manipulated embedded content to run arbitrary script code in the
security context of the website.

The problem lies in the handling of the content of such files (e.g. a
picture). In the first place the usual file header (e.g. for GIF files)
is provided - The remaining content of the file could be usual html
data. Therefore embedding script code in the latter may be possible.
This injected code is executed by the HTML rendering engine of the web
browser. In the proof-of-concept by Sven Vetsch and the examples of scip
AG a GIF file is used (see chapter III). But it seems other files that
could be embedded in an html file could be used too (e.g. JPG, WAV, AVI,
RM/RAM).

It seems that the Internet Explorer is putting all the data (HTML frame
and embedded content) into one stream. Afterwards this one is put thru
the rendering engine. This is not able to determine the real beginning
and end of an embedded file. Content of those - not expected in any way
- is handled as HTML code too.

More details are available at the scip vulnerability Database at
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746 (german only).

III. EXPLOITATION

The following proof-of-concept has been published in the articles "Wie
mit GIF-Bildern Cross Site Scripting-Angriffe im Internet Explorer
umgesetzt werden können" in scip monthly Security Summary Issue 19.
September 2005 (pp. 12-14)[1] and "GIF-Bug im Internet Explorer 6 -
Proof of Concept" at computec.ch[2]:

    01 <GIF89aŸ 8 ÷™fÿ™™>
    02 <html>
    03 <head>
    04 <script>
    05 alert("XSS");
    06 </script>
    07 </head>
    08 <body>
    09 </body>
    10 </html>

As you can see in the line 01 the usual GIF89a header is given. But the
following lines (02-10) come with common HTML and script code.

Successfull exploitation requires streaming the content (e.g. the web
site and the corrupted embedded content) from a web server over HTTP or
HTTPS. Running the exploit locally is not possible because the handling
of the data seems not to be the same.

IV. IMPACT

This seems to be a major problem. All web sites that allow the upload of
files to use in further use are affected. For instance auction web sites
as like eBay with a corrupted picture of the sell item or all board
pages with the functionality of an avatar upload.

V. DETECTION

An attack attempt is not easy to detect. Content screening may be able
to detect suspicous strings as like <script>. See chapter VI for more
details and counter-measures.

VI. WORKAROUND

End users should change to another web browser engine that is not
affected by this vulnerability. Successfull testings have been made with
free browsers as like Mozilla Firefox up to 1.0.5, Netscape up to 8.0
and Opera. All of them are not affected.

Web masters have to possibilities of preventing misuse of their systems:

(1) They could de-activate all upload and embedding (e.g. BBcode or HTML
code) in their web site.

(2) The other solution would be a content check of untrusted files if
they include scripting or html code. Strings as like <script> should
raise the alarm and let the data throw away. Regulary expression as used
in classical input validation of web applications can be applied here too.

VII. VENDOR RESPONSE

Microsoft has been informed in an early stage of elevation (see chapter
IX) at 07/31/05. There were no real verification of the threat and
danger in the response mail at 01/08/05.

We expect the vendor is addressing the issue with an emergency patch the
next few weeks/months. Tipp: Visit http://windowsupdate.microsoft.com on
a regulary base.

VIII. SOURCES

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746

scip monthly Security Summary, Issue 19. September 2005 (german)
http://www.scip.ch/publikationen/smss/

computec.ch document data base (german)
http://www.computec.ch/download.php?view.683

disenchant.ch advisory (german)
http://www.disenchant.ch/fileadmin/downloads/papers/dok_svetsch_20050812_02_gif_bug_im_ie6_poc.pdf

IX. DISCLOSURE TIMELINE

07/15/05 Sven Vetsch detects the flaw
07/28/05 Discussion between Sven Vetsch and scip AG how to disclose the
information
07/31/05 Sven Vetschs informs Microsoft
08/08/05 Semi-automated response by Microsoft
09/19/05 scip AG informes their registered Pallas and SMS customers[3]
09/19/05 Proof-of-concept published at computec.ch
09/19/05 Full article published in scip monthly Security Summary[1]
09/22/05 Public advisory

X. CREDITS

The vulnerability was discovered by Sven Vetsch.

    Sven Vetsch
    admin-at-disenchant.ch
    http://www.disenchant.ch

Further analysis and disclosure of this information has been done by
Marc Ruef at scip AG, Switzerland.

    Marc Ruef, scip AG
    maru-at-scip.ch
    http://www.scip.ch

A1. BIBLIOGRAPHY

[1] http://www.scip.ch/publikationen/smss/ (german)
[2] http://www.computec.ch/download.php?view.683 (german)
[3] http://www.scip.ch/dienstleistungen/pallas/ (german)

A2. LEGAL NOTICES

Copyright (c) 2005 by scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect or consequential loss or damage from use of or reliance
on this advisory.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Call to Arms: Rita Scams, Gadi Evron
Next by Date:  My Little Forum 1.5 / 1.6beta SQL Injection, retrogod
Previous by Thread:  [Full-disclosure] Call to Arms: Rita Scams, Gadi Evron
Next by Thread:  Re: [Full-disclosure] [scip_Advisory 1746] Microsoft Internet Explorer 6.0 embedded content cross site scripting, Brion Vibber
Indexes:  [Date] [Thread] [Top] [All Lists]