[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    MSIE Similar Method Name Redirection Cross Site/Zone Scripting
From:       Paul <paul () greyhats ! cjb ! net>
Date:       2004-07-11 15:33:53
Message-ID: 20040711153353.11484.qmail () www ! securityfocus ! com
[Download RAW message or body]



Note: This vulnerability and many more can be found at http://www.greyhats.cjb.net

SimliarMethodNameRedir
Automatic Remote Compromise

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Microsoft Windows XP sp2 

[Discussion]
At first I thought this vulnerability had something to do with method caching. It \
doesn't. It has to do with the security check that internet explorer has in place. \
Apparently, if a function is redirected to a function with the same name, it can be \
called without security restrictions. If you want to see what I mean, try this:

&lt;script&gt;
var var1=location.assign;
alert("Assign function of the current window:\n"+var1);
var w=window.open("about:blank","_blank");
var var2=w.location.assign;
var w=alert("Assign function of the new window:\n"+var2);
w.close();
&lt;/script&gt;


You should get two alerts describing the assign() function as being

function assign(){
[Native code]
}

Notice both functions appear to be the same. My guess is that Internet Explorer \
checks the two function names and (maybe) the function code. If it matches, Internet \
Explorer marks the function as safe. It doesn't, however, take into account \
cross-window function calls. That's why SimilarMethodNameRedir works. 

How bad is this problem? Critical. With minimal effort, a malicious website owner \
could install viruses or spyware on the visitor's computer. Because theoretically \
this should work with every function, the only way that I can think of to fix the \
problem is to rewrite the whole function security check that internet explorer has in \
place. The best way to prevent this vulnerability is to either disable active \
scripting or switch to a different browser ;). 

The example goes to google.com and executes javascript that displays a messagebox \
with the location.href and the document.cookie attributes of the window object. 

[Example]
http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic