Who Framed Internet Explorer? (NT)

Summary
The <frame> and especially <iframe> (inline frame) elements are popular elements on many big web sites. <frame> elements have always been used and <iframe> elements recently became popular in ads and relative content, since they don't suffer from the same clumsiness regular <frame> elements suffer from.
Most big sites will contain a <frame> or an <iframe> element somewhere inside them. Good examples are hotmail.com, google.com, and microsoft.com.
Frames may contain URLs in other domains or protocols, and therefore have strict security rules, which prevent frames in one domain to access content and information in another. Microsoft explains the issue in this Cross-Frame Scripting article.


Details
Affected applications:
* Microsoft Internet Explorer 5.5 and above; prior versions are not vulnerable.

Note that any other application that uses Internet Explorer's engine (WebBrowser control) is affected as well (Outlook, MSN Explorer, etc.).

Discussion:
GrayMagic discovered that it is possible for an attacker to execute script on any page that contains <frame> or <iframe> elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases read local files and executes arbitrary programs on the client's machine (script in the "My Computer" zone).

After a web site gets loaded, it is still possible for an external domain to access its frames collection. That in itself is not helping the attacker, since the document object of these frames cannot be accessed directly.

However, it is possible to set the frame's URL. Setting the child frame's URL to "javascript:bracket-code-bracket" will execute the script in the context of the currently loaded URL.

This vulnerability will not work, however, if the child frame is in a different domain than the victim's, like most ads are. But even that doesn't stop this vulnerability from being exploited, an attacker can simply change the frame's URL to match its parent and then re-assign the "javascript:bracket--slash-code-bracket" URL.

In order to use this vulnerability to access the "My Computer" zone an attacker would have to find a local file or resource that contains a <frame> or an <iframe>. Fortunately, for the attacker, Microsoft provided such a resource in Internet Explorer 6, and to make it even better, Microsoft ironically named it "PrivacyPolicy.dlg". All an attacker needs to do in order to read local files and execute arbitrary programs is to load "res://shdoclc.dll/privacypolicy.dlg" and then change the URL of the frame it contains to the "javascript: bracket-code-bracket" URL.

Luckily, for Internet Explorer 5.5 users, "PrivacyPolicy.dlg" was only supplied in version 6 of the browser. However, Windows ships with several HTML files, in relatively static locations, that may contain frames. An attacker can run a simple scan on such known local files and when such a file is found the attacker can use it like "PrivacyPolicy.dlg" is used above.

Exploit:
This exploit shows how it is possible to read a user's cookie in google.com, it uses a new window to load the victim site, the child frame is Google's messages tree frame.
deleted - Forum Admin

Solution:
Set "Active Scripting" or "Navigate sub-frames across different domains" to "Prompt" or "Disable".

Demonstration:
GreyMagic put together four proof-of-concept demonstrations:

* Privacy, anyone? #1
Read local files using the privacypolicy resource or, if you own a prior version of IE, scan your disk for "standard" local files that contain frames in order to "bounce" to any local file from them.

* Privacy, anyone? #2
Execute arbitrary programs using the privacypolicy resource or, if you own a prior version of IE, scan your disk for "standard" local files that contain frames in order to "bounce" to program execution from them.

source: www.greymagic.com

note: performing test(s) as mentioned above are at your own risk - Forum Admin.