HijackClick 3
Note: This vulnerability as well as several more can be found at
http://www.greyhats.cjb.net
HijackClick 3!!!
Took the name from Liu Die Yu :)
[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2
[Discussion]
The HijackClick series have been used to force a drag and drop event simply
from the user clicking a something. This is done by moving the window when
onmousedown fires. Previously, window.moveBy/To has been used. This has been
patched. Apparently, window.resizeBy/To would work too because it gives access
denied if it tries to execute when onmousedown fires. Microsoft just disabled
those functions from being called when the mouse button is down and called it
patched. No more hijackclick, right?
Wrong.
Popup.show() allows you to show a popup with desired left, top, height, and
width values. The show() function doesnt give access denied when we call it on
mousedown. Let's try it with a link on a popup. I'll make show() move the popup
off the screen. Does it work? Yes, it changes the cursor. Good. A drag event
just took place. With a little fine-tuning, we can make it show the popup on
loading of the main window, move the popup and show a favorites list on
mousedown, and set a timer to hide the favorites list and taunt the victim who
just got tricked into adding a link of our choice to their favorites list :).
[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm
And when you patch this one, Microsoft, please remember to patch the show()
function method cache part, too. You don't want HijackClick4, do you? ;)