IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
From: Paul Szabo <psz@xxxxxxxxxxxxxxxxx>
Date: Mon, 2 Oct 2006 22:36:20 +1000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Eiji James Yoshida wrote in
http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049784.html
:

> If 'Encoding' is set to 'Auto Select', and Internet Explorer finds a UTF-7
> string in the response's body, it will set the charset encoding to UTF-7
> automatically ...
> Proof of concept:
> http://MaliciousSite/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-...

I know that Apache servers return

  The requested URL /xyz was not found on this server.

when fetching http://apache.svr/xyz . Trouble is that IE shows a "custom"
error message, ignoring the error body. Pondering, see that

  http://en.wikipedia.org/wiki/HTTP_404

says:

> ... Internet Explorer will not display these pages, however, unless they
> are larger than 512 bytes. ...

This provides UXSS (Universal Cross-Site Scripting):

  http://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...

(with a couple of hundred Zs) will do what we want. Works for https also:

  https://apache.svr/+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-/ZZZ...

Can steal any Apache server (http or https) cookies. I do not have easy
access to ISS servers to test whether similar attacks would work there.

Will Apache fix (carefully escape) the error message? Will MS fix IE to
not be so over-friendly?

In the meantime, do not use IE to do anything "private" like banking...

Cheers,

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Follow-Ups:
- Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
  - From: Brian Eaton

Prev by Date: [security bulletin] HPSBUX02157 SSRT061220 rev.1 HP-UX Running Ignite-UX Server, Remote Unauthorized Access and Privilege Elevation
Next by Date: "POC 2006" by Korean hackers
Previous by thread: [security bulletin] HPSBUX02157 SSRT061220 rev.1 HP-UX Running Ignite-UX Server, Remote Unauthorized Access and Privilege Elevation
Next by thread: Re: [Full-disclosure] IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])
Index(es):
- Date
- Thread