Cenzic 232 Patent
Paid Advertising
web application security lab

IE6.0 and IE7.0 Vulnerable to Complete Cross Domain Leakage

This is some of the worst ownage I’ve seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. It’s interesting that Secunia marked it as a “less critical” threat, as this pretty much gives any attacker read access to any domain anywhere as long as you are using Internet Explorer 6.0 or 7.0.

The only saving grace here is that it does require access to a server where you can write HTTP headers (or somewhere that you can do header injection/redirection) as you need to force the browser to go to a certain URL which then redirects to another URL. Here’s what the header’s look like:

telnet secunia.com 80
Trying 213.150.41.226…
Connected to secunia.com.
Escape character is ‘^]’.
GET /ie_redir_test_1/1234 HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 15:38:46 GMT
Server: Apache
Location: mhtml:http://secunia.com/ie_redir_test_2
Connection: close
Content-Type: text/html

telnet secunia.com 80
Trying 213.150.41.226…
Connected to secunia.com.
Escape character is ‘^]’.
GET /ie_redir_test_2 HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 19 Oct 2006 15:39:00 GMT
Server: Apache
Location: http://news.google.com/
Connection: close
Content-Type: text/html

At this point the client is redirected to the server as you (with your credentials) and it is returned as a cachable mhtml file that can be read via XMLHttpRequest since it “appears” to your browser to be located on the machine that did the redirection. Pretty clever. I’ve played around with these sorts of things before but was never successful (obviously I never tried mhtml). It seems to me that someone was saving this one.

And remember our nonces we were using to protect against CSRF? Well forget it, they’re readable by the cross domain leakage now. I don’t know why anyone would say this is a less critical risk as this is complete ownage of the entire internet for users of Internet Explorer. Hopefully Microsoft will patch this one quickly.

17 Responses to “IE6.0 and IE7.0 Vulnerable to Complete Cross Domain Leakage”

  1. Speedlinking: October 19, 2006 » Technology, Blogging and New Media Says:

    […] Internet Explorer 6 days are a thing of the past. Microsoft announced the final release of Internet Explorer 7 for Windows XP yesterday. I’ve used IE7 since private beta days and I must say, Microsoft has done a smashup job with IE7. Please, please, please… if you’re an Internet Explorer user, go graduate to the next level of safety and security. Update: Looks like IE7 is vulnerable to some pretty amazing XSS trickery. Hat tip, Rsnake. […]

  2. maluc Says:

    and almost 3 weeks till the next patch tuesday..

  3. » First IE7 Vulnerability Discovered || Tech News and Tips from Tipsdr.com || Says:

    […] Added: Saw this post on ha.ckers.org that says it allows anyone with control over a webserver to control anything you do with any page you can connect to. This is some of the worst ownage I’ve seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. It’s interesting that Secunia marked it as a “less critical” threat, as this pretty much gives any attacker read access to any domain anywhere as long as you are using Internet Explorer 6.0 or 7.0. […]

  4. Anonymous Says:

    IE6.0 and IE7.0 Vulnerable to Complete Cross Domain Leakage…

    This is some of the worst ownage Ive seen in a long time. Secunia announced a really nasty cross domain leak for Internet Explorer. This allows anyone with control over a webserver to control anything you do with any page you can connect to. Its intere…

  5. pip Says:

    lol… great release… so IE7 will be subject to most of the next patch days ;)

  6. Tribute Says:

    The secunia exploit didn’t work on my IE7 running on Vista with default settings

  7. Spreading the Internet Explorer 7 Hate « //engtech Says:

    […] Upgrading to IE 7 might be a bad idea as at least one person has completely fragged his computer with it (more a Windows Update problem than an IE 7 problem). Oh yeah, and the first IE 7 security vulnerability has already been found (translated to english here, comments here). […]

  8. maluc Says:

    Worked for my IE6 and IE7 on xp sp2.
    And, it looks like this was found back in april.. and never patched..

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2111
    http://www.osvdb.org/25073

    i guess that giant is only pretending to be asleep

  9. IT Blogwatch Says:

    IE7 releases with vulnerability (and fun with res…

    Open IT Blogwatch in a new tab and read how Microsoft released Internet Explorer 7, but all is not well. Not to mention how to reply to lame resume writers……

  10. Tusker Says:

    I managed to do the same attack on my server, news.google.com and many other domains worked, but on some websites it didn’t work. Anyway I would say this is a really serious flaw, it’s something websites cannot protect against.

  11. RSnake Says:

    Do you know which sites weren’t vulnerable (a list of 2 or 3 would help)? Perhaps in that knowledge we might be able to figure out how to stop it on the server side.

  12. maluc Says:

    Hrm, i would think it would be able to pull in any site. Just looking at the requests intercepted by burp proxy.. you can see the final google request is nothing out of the ordinary:

    GET /ie_redir_test_1/?0.6203240305274063 HTTP/1.0
    Accept: */*
    Accept-Language: en-us
    Referer: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/
    Proxy-Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Host: secunia.com
    Cookie: cookies here (spammy)

    GET /ie_redir_test_2 HTTP/1.0
    Accept: */*
    Proxy-Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Host: secunia.com
    Cookie: cookies here

    GET / HTTP/1.0
    Accept: */*
    Proxy-Connection: Keep-Alive
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Cookie: cookies here
    Host: news.google.com

    Unless of course, the mhtml chokes on certain characters in the URL.. which would be unusual.

  13. RSnake Says:

    I read today that this is actually not a problem in IE but a problem in Outlook Express (some sort of hook into the browser that manifests itself in the browser). Perhaps that has something to do with it? Maybe it’s not super stable as a result.

  14. maluc Says:

    you’re right.. completely uninstalling Outlook Express (which is not easy) prevents this from working. Steps to install from XP: http://www.activewin.com/tips/tips/microsoft/winxp/advanced/8.shtml

    But.. while in IE7, it caused it to just not work, in IE6 it causes explorer to crash everytime. Even when thunderbird is set as my default email client. Possibly from ‘Address Book’ still being set as the default - unable to change without a replacement program.

  15. maluc Says:

    from process of elimination, its the msoert2.dll. If you use IE7, rename that to msoert2.old and it may be a workaround. others who try it let me know if that works for you too. but that still crashes ie6 :/

  16. ha.ckers.org web application security lab - Archive » Server Side MHTML Fix and XSS Fragmentation Says:

    […] I know there are quite a few people who read this site but don’t look at the forums, so to save you some time in combing through all the recent posts, I thought I’d highlight a few that were very noteworthy. The first is from Łukasz Pilorz. After doing quite a few tests against the most recent mhtml vulnerability in IE (which turned out to be a problem with interaction between outlook express and the browser) Łukasz found that there is one server side mitigating factor that makes this attack fail - and it’s something as simple as adding a few linebreaks to your code. […]

  17. :: Bullet Points :: » IE7 Bug, Firefox 2.0 Release: The Faithful Are Up in Arms Says:

    […] A blogger at ha.ckers.org contends this bug represents a major security risk (read on for a hard-wired snapshot of the “complete cross-domain leakage” threat) and criticizes Secunia for tagging the threat as merely a 2 on a scale of 1-5. […]