Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

IE6 + XP SP2 Vulnerability

From: cns <cns () free fr>
Date: Thu, 16 Sep 2004 01:01:58 +0200
Background information
======================

Windows XP Service Pack 2 has introduced new features that improve
browsing security in Internet Explorer. Most of them are additional
messages that force the user to validate everything that is done by the
browser.  Most of these messages are displayed in the new Information
Bar. For example if you try to open a web page that contains Javascript
code or ActiveX objects, it is likely that they will be blocked, the
Information Bar will appear and offer you to reload the page with the
untrustworthy components enabled.

More information can be found at:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

The side effect of these features is that some web sites can't be used
as easily as before because the user has to respond to an increasing
number of notifications and questions.


Vulnerability Explained
=======================

As an example I created a simple XHTML document containing MathML and
installed the MathPlayer ActiveX plugin from DesignScience
(http://www.dessci.com/en).
This type of document used to render correctly in IE6 but since SP2 was
installed the new features interfere with the loading of the component :
the page is first loaded without MathPlayer which has to be enabled via
the Information Bar.

But there seems to be a vulnerability in Internet Explorer that allows
this protection to be bypassed. All that needs to be done is to add a
fake comment between the DOCTYPE declaration and the <html> tag that
mimics those added by IE when a page is saved to disk. The "fake"
comments must be formatted as follows :

<!-- saved from usr=(XXXX)URL -->

where URL is to be replaced by an URL
(for instance http://www.example.com/)
and XXXX by a 4 digit integer that represents the number
of characters in the URL (for instance 0023).


System Affected
===============

Windows XP Pro and Home editions with SP2
IE 6.0 (SP2)


How to reproduce
================

Install the plugin from DesignScience. Paste the following text in a
file with an .xml extension. Open it with IE with and without the
comment on line 4.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1 plus MathML 2.0//EN"
               "http://www.w3.org/TR/MathML2/dtd/xhtml-math11-f.dtd";>
<!-- saved from url=(0023)http://www.example.com/ -->
<html xmlns="http://www.w3.org/1999/xhtml";>
<HEAD>
<TITLE>IE Vulnerability example</TITLE>
<BODY>
<math displaystyle="true" xmlns="&mathml;">
<mfrac>
<mn>27</mn>
<mn>12</mn>
</mfrac>
</math>
</BODY></HTML>


Remarks
=======

This also works with pages containing Javascript code.


--
Cyrille SZYMANSKI
Previous By Date Next
Previous By Thread Next

Current thread: