MSIE Overly Trusted Location Variant Method Cache Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MSIE Overly Trusted Location Variant Method Cache Vulnerability
From: Paul <paul@xxxxxxxxxxxxxxxx>
Date: 17 Jul 2004 03:06:57 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


This vulnerability as well as many more can be found at 
http://www.greyhats.cjb.net

Overly Trusted Location Variant Method Cache Vulnerability

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp1

[Discussion]
Apparently, Internet Explorer trusts the location variant way too much when it 
comes to method cache. As Thor Larholm pointed out to me, it isnt a problem of 
similar method name redirection, but a problem with the location variant. I 
have created a new vulnerability to demonstrate this. EvilChild creates a child 
popup on a new window. Then it redirects the page. As it's loading, the popup 
is shown and saves the ref of parent.window.open to location.cache. As soon as 
the evil child popup cannot access the parent.document, an error handler is 
fired calling parent.window.open to load javascript into the main window.

Example can be found at http://freehost07.websamba.com/greyhats/evilchild.htm

Prev by Date: RE: Trend Micro Officescan for Win2k strange behaviour
Next by Date: Re: Hotmail Cross Site Scripting Vulnerability
Previous by thread: SUSE Security Announcement: php4 (SUSE-SA:2004:021)
Next by thread: [FMADV] Format String Bug in OllyDbg 1.10
Index(es):
- Date
- Thread