GreyMagic Security Advisory GM#010-IE ===================================== By GreyMagic Software, Israel. 09 Sep 2002. Available in HTML format at http://security.greymagic.com/adv/gm010-ie/. Topic: Who framed Internet Explorer. Discovery date: 04 Aug 2002. Affected applications: ====================== Microsoft Internet Explorer 5.5 and above; prior versions are not vulnerable. Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.). Introduction: ============= The <frame> and especially <iframe> (inline frame) elements are popular elements on many big web sites. <frame> elements have always been used and <iframe> elements recently became popular in ads and relative content, since they don't suffer from the same clumsiness regular <frame> elements suffer from. Most big sites will contain a <frame> or an <iframe> element somewhere inside them. Good examples are hotmail.com, google.com and microsoft.com. Frames may contain URLs in other domains or protocols, and therefore have strict security rules, which prevent frames in one domain to access content and information in another. Microsoft explains the issue in this Cross-Frame Scripting article - http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp. Discussion: =========== We discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine (script in the "My Computer" zone). After a web site gets loaded, it is still possible for an external domain to access its frames collection. That in itself is not helping the attacker, since the document object of these frames cannot be accessed directly. However, it is possible to set the frame's URL. Setting the child frame's URL to "javascript:[code]" will execute the script in the context of the currently loaded URL. This vulnerability will not work, however, if the child frame is in a different domain than the victim's, like most ads are. But even that doesn't stop this vulnerability from being exploited, an attacker can simply change the frame's URL to match its parent and then re-assign the "javascript:[code]" URL. In order to use this vulnerability to access the "My Computer" zone an attacker would have to find a local file or resource that contains a <frame> or an <iframe>. Fortunately for the attacker, Microsoft provided such a resource in Internet Explorer 6, and to make it even better, Microsoft also ironically named it "PrivacyPolicy.dlg". All an attacker needs to do in order to read local files and execute arbitrary programs is to load "res://shdoclc.dll/privacypolicy.dlg" and then change the URL of the frame it contains to the "javascript:[code]" URL. Luckily for Internet Explorer 5.5 users, "PrivacyPolicy.dlg" was only supplied in version 6 of the browser. However, Windows ships with several HTML files, in relatively static locations, that may contain frames. An attacker can run a simple scan on such known local files and when such a file is found the attacker can use it like "PrivacyPolicy.dlg" is used above Exploit: ======== This exploit shows how it is possible to read a user's cookie in google.com, it uses a new window to load the victim site, the child frame is Google's messages tree frame. <script language="jscript"> onload=function () { var oVictim=open("http://groups.google.com/groups?threadm=anews.Aunc.850","OurVi ctim","width=100,height=100"); setTimeout( function () { oVictim.frames[0].location.href="javascript:alert(document.cooki e)"; }, 7000 ); } </script> Solution: ========= Disable Active Scripting. Tested on: ========== IE5.5 Win98. IE5.5 NT4. IE6 Win2000. IE6 WinXP. Demonstration: ============== We put together four proof-of-concept demonstrations: * Simple: The example shown in the "Exploit" section. * "Who framed" Console: Automatically test any site for frames and execute commands on it. * Privacy, anyone? #1: Read local files using the privacypolicy resource or, if you own a prior version of IE, scan your disk for "standard" local files that contain frames in order to "bounce" to any local file from them. * Privacy, anyone? #2: Execute arbitrary programs using the privacypolicy resource or, if you own a prior version of IE, scan your disk for "standard" local files that contain frames in order to "bounce" to program execution from them. They can all be found at http://security.greymagic.com/adv/gm010-ie/. Feedback: ========= Please mail any questions or comments to security@greymagic.com. - Copyright © 2002 GreyMagic Software.
