SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Microsoft Internet Explorer (IE) Vendors:  Microsoft
Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
SecurityTracker Alert ID:  1010679
SecurityTracker URL:  http://securitytracker.com/id?1010679
CVE Reference:  CAN-2004-0839 ,  CAN-2004-0841   (Links to External Site)
Updated:  Sep 14 2004
Original Entry Date:  Jul 12 2004
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6; Tested on 6.0.2800.1106
Description:  A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.

Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system [CVE: CAN-2004-0841].

A demonstration exploit is available at:

http://freehost07.websamba.com/greyhats /hijackclick3.htm

http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.

Some demonstration exploit code is provided:

<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>

location="shell:favorites\\greyhat[1].htm"

A demonstration exploit is available at:

http://www.malware.com/paul.html

On August 18, 2004, http-equiv provided an additional exploit example [CVE: CAN-2004-0839], available at:

http://www.malware.com/wottapoop.html

When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.
Impact:  A remote user can create HTML that will execute mouse-click actions on the target user's computer.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows XP SP2
Reported By:  Paul <paul@greyhats.cjb.net>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2004 (Alternate Exploit is Available) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions   ("http-equiv@excite.com" <1@MALWARE.COM>)
Another demonstration exploit example is available.
Oct 12 2004 (Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
The vendor has issued a fix.
Feb 8 2005 (Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
Microsoft has issued a fix.


 Source Message Contents
Date:  11 Jul 2004 15:53:15 -0000
From:  Paul <paul@greyhats.cjb.net>
Subject:  HijackClick 3

 



Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

HijackClick 3!!!
Took the name from Liu Die Yu :) 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
The HijackClick series have been used to force a drag and drop event simply from the user clicking a 
something. This is done by moving
 the window when onmousedown fires. Previously, window.moveBy/To has been used. This has been patched
. Apparently, window.resizeBy/To
 would work too because it gives access denied if it tries to execute when onmousedown fires. Microso
ft just disabled those functions
 from being called when the mouse button is down and called it patched. No more hijackclick, right?

Wrong. 

Popup.show() allows you to show a popup with desired left, top, height, and width values. The show() 
function doesnt give access denied
 when we call it on mousedown. Let's try it with a link on a popup. I'll make show() move the popup o
ff the screen. Does it work?
 Yes, it changes the cursor. Good. A drag event just took place. With a little fine-tuning, we can ma
ke it show the popup on loading
 of the main window, move the popup and show a favorites list on mousedown, and set a timer to hide t
he favorites list and taunt the
 victim who just got tricked into adding a link of our choice to their favorites list :).

[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm

And when you patch this one, Microsoft, please remember to patch the show() function method cache par
t, too. You don't want HijackClick4,
 do you? ;)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC