Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2781
HistoryApr 17, 2002 - 12:00 a.m.

IE allows universal Cross Site Scripting (TL#002)

2002-04-1700:00:00
vulners.com
38
JSON

Thor Larholm security advisory TL#002

By Thor Larholm, Denmark.
16 April 2002

HTML Format: http://jscript.dk/adv/TL002/

Topic: IE allows universal Cross Site Scripting.

Discovery date: 18 March 2002.

Severity: High

Affected applications:

Any application that hosts the WebBrowser control (IE6+). Some of these are:

Microsoft Internet Explorer
Microsoft Outlook
Microsoft Outlook Express

Impact:

Elevating privileges, hijacking the MSN Messenger client, running script in
the My Computer zone, arbitrary command execution, etc.

Introduction:

Among its extensive functionality, IE employs a set of useful methods to
display dialog windows. These, the showModalDialog and showModelessDialog
methods, can transfer objects from the originating page to the page being
displayed inside the dialog, by use of the dialogArguments property.

Discussion:

The dialogArguments property tries to prevent interaction between remote
pages by comparing the location of the originating page and the dialog page.

When opening a dialog window (e.g. res://shdoclc.dll/policyerror.htm) from
another protocol, port or domain (e.g. http://jscript.dk), the validation
code in IE will ensure that no objects are transferred, and no interaction
is as such possible.
When both pages are on the same protocol, port and domain, the validation
code will allow interaction.
Unfortunately, the validation code only checks the original URL instead of
the final URL, and it is as such possible to bounce a HTTP redirect from the
originating site to the desired dialog page that will allow interaction.

It is worth noting that this is not in any way limited to the RES://
protocol. The flawed dialogArguments property also allows interaction
between different domains (e.g. YAHOO.COM to MICROSOFT.COM), different
protocols (HTTP to HTTPS, HTTP to FILE, etc.) and different ports (port 80
to port 21, port 80 to port 25, etc.)

For the sake of demonstration, we take a look at shdoclc.dll which contains
several resource in the HTML category, labeled POLICYERROR.HTM,
POLICYLOOKING.HTM, POLICYNONE.HTM and POLICYSYNTAXERROR.HTM. These files
contain the following script code:

    var site =  window.parent.dialogArguments.url;

    function printSite()
    {
        document.write( site);
    }

Exploit:

<script>
var sCode = '<'+'script>alert("This is running from: " +
location.href);top.close()</'+'script>';
window.showModalDialog("redirect.asp", {url:sCode})
</script>

Redirect.asp contains:

<%@Language=Jscript%><%
Response.Redirect("res://shdoclc.dll/policyerror.htm");
%>

Solution: (for MS)

Fix the faulty validation routine in dialogArguments.
Include input validation in resource files.
Also, fixing the incomplete MS02-015 patch will ensure that this specific
command execution vulnerability will not reoccur when the next CSS issue is
uncovered.

Solution: (for users)

Disable scripting.

Tested on:

IE6sp1 Win2000 SP2, with all patches.
IE6sp1 Windows 98, with all patches.
IE6sp1 Windows 98 SE, with all patches.

Demonstration:

I have put together some proof-of-concept examples:

  • Simple static examples: Demonstratory fixed code
  • Advanced example: Input arbitrary script code
  • Hijacking MSN Messenger: An updated version of a previous bulletin
  • Executing arbitrary commands: How CodeBase was not fixed

These can be found at http://jscript.dk/adv/TL002/

Vendor status:

Microsoft was notified 18 March 2002 and were able to reproduce the issue
consistently.
They are currently (16 April 2002) investigating whether to address this in
an upcoming cumulative patch.

Regards
Thor Larholm
Jubii A/S - Internet Programmer

JSON