SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Browser)  >   Microsoft Internet Explorer Vendors:   Microsoft
Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
SecurityTracker Alert ID:  1010679
SecurityTracker URL:  http://securitytracker.com/id/1010679
CVE Reference:   CVE-2004-0839, CVE-2004-0841   (Links to External Site)
Updated:  Sep 14 2004
Original Entry Date:  Jul 12 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6; Tested on 6.0.2800.1106
Description:   A vulnerability was reported in Microsoft Internet Explorer in popup.show(). A remote user can take arbitrary mouse-based actions on the target system.

Paul from GreyHats Security Group reported that a remote user can create HTML that uses the popup.show() function with the 'on mousedown' event to take mouse-based actions on the target user's system [CVE: CVE-2004-0841].

A demonstration exploit is available at:

http://freehost07.websamba.com/greyhats/hijackclick3.htm

http-equiv subsequently reported that this vulnerable function can be used in conjunction with the previously reported "shell://" vulnerability to execute arbitrary code on the target user's system.

Some demonstration exploit code is provided:

<img src="greyhat.html" id=anch
onmousedown="parent.nsc.style.width=2000;parent.nsc.style.height=
2000;parent.pop.show(1,1,1,1);parent.setTimeout('showalert
()',3000);" style="width=168px;height=152px;background-image:url
('youlickit.gif');cursor:hand" title="click me!"></a>

location="shell:favorites\\greyhat[1].htm"

A demonstration exploit is available at:

http://www.malware.com/paul.html

On August 18, 2004, http-equiv provided an additional exploit example [CVE: CVE-2004-0839], available at:

http://www.malware.com/wottapoop.html

When this exploit example is followed, an executable file will be placed in your Windows Startup folder. Some user interaction is required in the example, but comments in the code note that it may be possible to automate the exploit.

Impact:   A remote user can create HTML that will execute mouse-click actions on the target user's computer.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows XP SP2

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2004 (Alternate Exploit is Available) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
Another demonstration exploit example is available.
Oct 12 2004 (Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
The vendor has issued a fix.
Feb 8 2005 (Vendor Issues Fix) Microsoft Internet Explorer Access Control Flaw in popup.show() Lets Remote Users Execute Mouse-Click Actions
Microsoft has issued a fix.



 Source Message Contents

Subject:  HijackClick 3




Note: This vulnerability as well as several more can be found at http://www.greyhats.cjb.net

HijackClick 3!!!
Took the name from Liu Die Yu :) 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
The HijackClick series have been used to force a drag and drop event simply from the user clicking a something. This is done by moving
 the window when onmousedown fires. Previously, window.moveBy/To has been used. This has been patched. Apparently, window.resizeBy/To
 would work too because it gives access denied if it tries to execute when onmousedown fires. Microsoft just disabled those functions
 from being called when the mouse button is down and called it patched. No more hijackclick, right?

Wrong. 

Popup.show() allows you to show a popup with desired left, top, height, and width values. The show() function doesnt give access denied
 when we call it on mousedown. Let's try it with a link on a popup. I'll make show() move the popup off the screen. Does it work?
 Yes, it changes the cursor. Good. A drag event just took place. With a little fine-tuning, we can make it show the popup on loading
 of the main window, move the popup and show a favorites list on mousedown, and set a timer to hide the favorites list and taunt the
 victim who just got tricked into adding a link of our choice to their favorites list :).

[Example]
http://freehost07.websamba.com/greyhats/hijackclick3.htm

And when you patch this one, Microsoft, please remember to patch the show() function method cache part, too. You don't want HijackClick4,
 do you? ;) 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC