Another IE security hole

Discussion in 'other security issues & news' started by TNT, Apr 5, 2006.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Last edited: Apr 5, 2006
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Using IE6 here, Security Settings High, the exploit doesn't work.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Right and I guess, that blocking flash in IE should do it as well (Flash is used mostly for ADs).
     
  5. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    This is similar to a long-standing "exploit" involving frame injection, and, like that issue, the new vulnerability requires that the permission "Navigate sub-frames across different domains" be enabled. The old exploit, documented at:

    http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

    does not even require Javascript to be enabled, and I wouldn't be surprised if someone found a way to exploit this one without needing script as well. Note that Secunia's link is via Javascript, so if that is disabled, Secunia's test will not even launch; thus, in particular, Rmus and StevieO did not notice a problem.

    I want to point out that in both vulnerabilities, the injected content runs in the security context of the rogue website; i.e., there does not appear to be a cross-site scripting issue. In the particular test that I ran, Google was in the Internet Zone and Secunia was relegated to my default security zone 5 (I find having an extra zone to be useful). Note that in the image (link shown below), the address bar indeed says Google is the URL, but the lower-right part of the image shows Secunia's zone. This test did not succeed totally, for Secunia's final action is to download a Flash file (just a large "SECUNIA" image), but that was not injected into the page, for reasons unknown. REGMON did indicate that Flash was checked against the AllowedControls list and then was instantiated.

    Personally, I consider "Navigate sub-frames across different domains" to be one of the shakier permissions, and thus I require prompting before allowing this action in the default zone. Routinely, I deny this permission unless I totally trust the site. This test failed to "exploit", of course, when cross-domain navigation was disabled. Additionally, it failed when I said 'yes' to prompts due to some unknown timing issue (the script involves timing), and I did not have time to find out what was happening. I needed to change the permission to Enable to get the exploit to work. Other default settings of interest for this test included the enabling of Active scripting and a small number of Active X controls, including Flash. Your results may vary.

    CrackMan
    XP/XP2; IE6/SP2
     

    Attached Files:

    Last edited by a moderator: Apr 8, 2006
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    So disabling iframes is another possible protection?
     
  7. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    No, a different issue here. This is not related to the "Execute by Hyperlink" capability that is enabled by the permission Launching programs and files in an IFRAME -- something that one should never permit except in very special circumstances. Microsoft documents this at http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q232077 . Secunia is reporting another variation on frame weaknesses that have plagued IE, and other browsers, over the years. I say "weakness" because this again is a spoof, not an exploit.

    CrackMan
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    It does not work for me at all, so it looks like this is no issue with hardened IE security settings. :)
     
  9. crackman

    crackman Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    24
    Location:
    Southern California
    Rasheed:

    True. You and probably most individuals who tune into this, or other security-conscious sites, will likely have hardened browsers that will be immune to this issue. Problem is, the default "Medium" security that is recommended for IE's Internet Zone will leave your average John Doe vulnerable. Specifically, the Medium Template enables Navigate sub-frames across different domains as well as the active scripting and ActiveX needed for this particular demonstration to work.

    This permission is not totally useless; specifically, anyone who does a search by using the Search Companion (clicking the magnifying glass in IE's Toolbar) will in essence open up a "frame" on the left side of the screen. When one clicks a result, IE navigates the new web page into the right-hand "frame" if it is permitted to do so via the aforementioned permission. Even though the web page itself might not use frames, IE treats the simultaneous existence of separate web sites as a cross-subframe issue.

    CrackMan
    XP/IE6/SP2
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, a lot of (old) and maybe even new exploits don´t even work with the Internet/Local Machine Zone locked down. Disabling a lot of ActiveX controls and some URL Protocol handlers used by IE also makes sense of course, since they all can be used as attack vectors. But I see that MS has learned from there mistakes and finally configured IE7 in the most secure way. And IMO most of us do not need all these features in IE anyway, I mean I have never run into any problems with any websites. ;)
     
Loading...
Thread Status:
Not open for further replies.