Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Internet Explorer Custom HTTP Error Pages May Let Remote Users Execute Scripts in the Local Computer Zone
|
|
SecurityTracker Alert ID: 1007007
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 17 2003
|
Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: GreyMagic Software
|
Version(s): 5.01, 5.5 and 6.0
|
Description: An input validation vulnerability was reported in Microsoft Internet Explorer (IE) in the generation of custom HTTP error pages.
A remote user may be able to cause arbitrary scripting code to be executed in the Local Computer domain on the target user's system
if the target clicks on a link.
GreyMagic Software reported that the internal HTML resource files used to process custom HTTP error messages. A remote user can
create a URL containing Javascript code that, when loaded by the target user, will result in an HTTP 404 (Not Found) error, causing
a certain internal URL to be generated by IE in the following form:
res://shdoclc.dll/404_HTTP.htm#[remoteURL]
As part of
the error page, IE will display a link to the home page of the requested site. According to the report, the code in IE that parses
the remote URL to extract the domain name does not fully filter scripting code before displaying the link to the domain name.
A
remote user can insert scripting code that will be executed if the target user clicks on the displayed link. The scripting code
will run in the Local Zone, the report states.
A demonstration exploit URL is provided:
res://shdoclc.dll/HTTP_501.htm#javascript:%2f*://*%2falert(location.href)/
The vendor has reportedly been notified (on 20 Feb 2003) and has confirmed the flaw.
|
Impact: A remote user can cause scripting code to be executed in the Local Computer zone, if the target user clicks on a certain link (user interaction is required for the exploit to be successful).
|
Solution: No solution was available at the time of this entry. The vendor plans to include a fix for this flaw in an upcoming service pack.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: GreyMagic Software <security@greymagic.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 17 Jun 2003 10:14:34 "GMT"
From: GreyMagic Software <security@greymagic.com>
Subject: [Full-Disclosure] Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE)
|
GreyMagic Security Advisory GM#014-IE
=====================================
By GreyMagic Software, Israel.
17 Jun 2003.
Available in HTML format at http://security.greymagic.com/adv/gm014-ie/.
Topic: Script Injection to Custom HTTP Errors in Local Zone.
Discovery date: 18 Feb 2003.
Affected applications:
======================
Microsoft Internet Explorer 5.01, 5.5 and 6.0.
Note that any other application that uses Internet Explorer's engine
(WebBrowser control) is affected as well (AOL Browser, MSN Explorer, etc.).
Introduction:
=============
Internet Explorer ships with various internal HTML resource files. The
majority of these files are meant to handle custom HTTP errors in web sites
(also called "Friendly HTTP error messages"). They all use the same basic
pieces of code, with minor changes to the actual content of each resource.
One of the main functions included in the resources is a method to extract
the real URL from the resource URL hash. For example, if "site.com"
generated a 404 HTTP error, the following URL will be internally requested
by IE: res://shdoclc.dll/404_HTTP.htm#http://site.com/file.html.
The function takes the part after the # sign and attempts to extract the
domain of the site, in order to embed it in the content of the custom
message.
Discussion:
===========
We found that the above-mentioned parsing procedure has a flaw in it that
may cause arbitrary script commands to be executed in the Local Zone.
Leading to potential arbitrary commands execution, local file reading and
other severe consequences.
However, Exploiting this procedure requires user-interaction. The user must
click the URL presented to it by the resource for the malicious code to
execute.
Here is the vulnerable function, precisely as it appears in the resources:
function Homepage(){
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm
//For testing use DocURL =
"res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"
DocURL = document.location.href;
//this is where the http or https will be, as found by searching for ://
but skipping the res://
protocolIndex=DocURL.indexOf("://",4);
//this finds the ending slash for the domain server
serverIndex=DocURL.indexOf("/",protocolIndex + 3);
//for the href, we need a valid URL to the domain. We search for the #
symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We
use serverIndex as the end marker.
//urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
BeginURL=DocURL.indexOf("#",1) + 1;
if (protocolIndex - BeginURL > 7)
urlresult=""
urlresult=DocURL.substring(BeginURL,serverIndex);
//for display, we need to skip after http://, and go to the next slash
displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex);
// Security precaution: must filter out "urlResult" and "displayresult"
forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/rep
lace
urlresult = urlresult.replace(forbiddenChars, "");
displayresult = displayresult.replace(forbiddenChars, "");
document.write('<A target=_top HREF="' + urlresult + '">' +
displayresult + "</a>");
}
The comments in this function teach us that Microsoft had indeed attempted
to protect this resource from being exploited in this way, but unfortunately
failed to do so. A specially crafted value appended after the # sign can
fool this function to write a "javascript:" URL in the displayed link.
Exploit and Demonstration:
==========================
This URL will cause the resource to output a "javascript:" link to the
document, which will execute when the user clicks on it:
res://shdoclc.dll/HTTP_501.htm#javascript:%2f*://*%2falert(location.href)/
Copy and paste the above URL in your browser, then click the red link in
order to test it.
Solution:
=========
Microsoft was notified on 20-Feb-2003. They were able to reproduce this on
IE6 Gold and all versions below it. We managed to reproduce it on all
versions, including IE6 SP1, with no exceptions.
They plan to fix this flaw in a future service pack.
Tested on:
==========
IE5.5 Win98.
IE5.5 NT4.
IE5.5 Win2000.
IE6 Win98.
IE6 NT4.
IE6 Win2000.
IE6 WinXP.
Disclaimer:
===========
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory.
Feedback:
=========
Please mail any questions or comments to security@greymagic.com.
- Copyright ) 2003 GreyMagic Software.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
