SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Bug in Loading Multimedia Files May Let Remote Users Execute Arbitrary Scripting Code in Other Domains
SecurityTracker Alert ID:  1005857
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 26 2002
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 6.0; Tested on 6.0.2600.0000, with Q312461, Q328970 (MS02-066)
Description:  An input validation vulnerability was reported in Microsoft Internet Explorer (IE). A remote user can create HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed in another domain.

According to the report, a remote user can generate an HTML page to load a multimedia file, where the HTML contains a URL for a multimedia file. The URL contains malicious scripting and is loaded with a window.open() function call. When IE attempts to load the multimedia file, the scripting code will be executed in the domain of the specified URL.

A demonstration exploit URL is provided:

http://www.macromedia.com//shockwave/download /triggerpages_mmcom/flash.swf?"><SCRIPT>alert(document.cookie)</SCRIPT>

Also, a demonstration exploit page is available at:

http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
Impact:  A remote user can cause arbitrary scripting code to be executed in the domain of a different web site. The scripting code will run in the security context of the different web site and will be able to access cookies associated with that web site, access data recently submitted to that site, and take actions on that web site acting as the target user.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Windows (Any)
Reported By:  Liu Die Yu <liudieyuinchina@yahoo.com.cn>
Message History:   None.

 Source Message Contents
Date:  26 Dec 2002 05:38:39 -0000
From:  Liu Die Yu <liudieyuinchina@yahoo.com.cn>
Subject:  (MSIE)A rather old trick for web server is now played on MSIE.

 



(MSIE)A rather old trick for web server is now played on MSIE.
("that's all" is the end of file if you are in a hurry)

[tested]MSIEv6(CN version)
Patch: Q312461,Q328970(MS02-066)
{IEXPLORE.EXE file version: 6.0.2600.0000}
{MSHTML.DLL file version: 6.00.2600.0000} 


[demo]
at 
http://www16.brinkster.com/liudieyu/viaSWFurl/viaSWFurl-MyPage.htm
or 
clik.to/liudieyu ==> viaSWFurl-MyPage section.
or
[code.url start]
http://www.macromedia.com//shockwave/download/triggerpages_mmcom/flash.swf?
">&lt;SCRIPT&gt;alert(document.cookie)&lt;/SCRIPT&gt;
[code.url end]



[exp]
MSIE generates a page to load a multimedia file instead of loading it 
directly. 
the automatically generated page for loading an SWF(the extension of a 
flash file) file contains URL of the SWF file -- without any encoding.

so the oldest XSS trick works on MSIE.

that's all.

[how]
(real show)

first, realize MS programmers are lazy(= "too busy") and they prefer to 
look wise, so you can doubt that they generate a page to load a multimedia 
file.
then, check it: i played a small trick: typing 
javascript:alert(document.body.innerHTML)
in the address field when the content of MSIE is a JPG file.
soon after confirmation, try the trick and you'll find it doesn't work on 
a JPG file because the URL is encoded properly.(that programmer must have 
been fired for his defence)
now you may lose self-confidence -- MS is not that foolish. 
but thinking about "document.open" hole(not "flaw") will encourage you.
(the essential point!)
then after several tries, you have this document.

(very few steps)

[more?]
this trick may work on other browsers, but i can't test it at present.

[BTW]
(0)merry Christmas!
(1)Greetings to "the Pull"
(2)there are many demoz at http://www.safecenter.net (thanx to "Dror 
Shalev" for making them)
(3)i'm busy with exams, hope you can understand and forgive my delay (the 
school is really crazy). i'll have a 30-day holiday. i think it's enough 
to make a site showing tricks i know, why they work,how to exploit them, 
and how people got the ideas. it's crosszone.org(not ready yet)
(4)LOTUS: i am slow.

[contact]
clik.to/liudieyu ==> "How to contact Liu Die Yu" section
(any postcard? :-) )


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC