Re: Saved XSS vulnerability in Internet Explorer

["MustLive" <mustlive () websecurity com ua>]

Hello Zach and Christian.

> But it requires that the user/potential victim go to the URL and save it,
> you say? That doesn't quite seem realistic at all in terms of an attack...

Yes, this vulnerability is complex and it'll be not easy to attack. But
hidden iframe can be used, as I wrote in my advisory, to conduct this attack
hiddenly. And this kind of vulnerability can be elevated from XSS to Code
Execution (as I wrote in below-mentioned articles). As first hole in IE
(which I disclosed in 2007), in Google Chrome (which I disclosed in 2008),
in Opera (which I disclosed in 2008), in second hole in IE (which I
disclosed recently). And in hole in Ad Muncher (which allows to conduct this
attack via any browser at all), which I found in 2006 and which I wrote
about in my article Local XSS (I mentioned a link to English version of it
in my advisory).

> If MustLive says so, it must be realistic...

This vulnerability is complex, but there is some possibility for successful
attack. So taking into account complexity of vulnerability, I gave it low
risk. Much lower than Mitre gave in CVE-2007-4478
(http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478) and 3APA3A
gave in SecurityVulns ID: 8081
(http://securityvulns.ru/news/Microsoft/IE/saved-css.html).

I gave low risk (1/5 or 2/10).

Mitre gave 4.3 (medium risk):

CVSS v2 Base Score: 4.3 (MEDIUM)
Impact Subscore: 2.9
Exploitability Subscore: 8.6

3APA3A gave 3/10.

So other people consider it even more dangerous then I do :-). And taking
into account that Microsoft fixed it in IE (fixed hiddenly and lamerly after
two years in IE8), Google fixed it in Chrome (quickly) and Opera fix it
(fixed hiddenly and lamerly after one year in Opera 10) - then it looks like
browser vendors also consider such holes as dangerous.

You guys also can read my articles Code Execution via XSS in Internet 
Explorer (http://securityvulns.ru/Udocument911.html) and Cross-browser Code 
Execution via XSS (http://securityvulns.ru/Udocument941.html), which I wrote 
in 2008 concerning this kind of vulnerabilities in different browsers which 
I found. How the attack can be elevated from XSS to CE.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Zach C" <fxchip () gmail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Sunday, November 14, 2010 10:14 PM
Subject: Re: [Full-disclosure] Saved XSS vulnerability in Internet Explorer


But it requires that the user/potential victim go to the URL and save it,
you say? That doesn't quite seem realistic at all in terms of an attack...

On Nov 14, 2010, at 9:56 AM, "MustLive" <mustlive () websecurity com ua> wrote:

> Hello Full-Disclosure!
>
> I want to warn you about Cross-Site Scripting vulnerability in Internet
> Explorer. This is Post Persistent XSS (Save XSS)
> (http://websecurity.com.ua/2641/).
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet
> Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and
> previous versions.
>
> ----------
> Details:
> ----------
>
> This hole is similar to Cross-Site Scripting vulnerability in Internet
> Explorer (http://websecurity.com.ua/1241/) - CVE-2007-4478
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4478). Which I
> found in August 2007 and informed Microsoft, and they ignored it and
> didn't
> fix it in IE6, and they didn't fixed it in IE7 (and also in IE6) after my
> informing in 2008. But they silently and lamerly fixed it in IE8, as I
> found
> in May 2010 when checked this hole in IE8. This vulnerability is different
> from previous one in that, that the attack is going not via saving web
> page,
> but saving web archive (mht/mhtml file) - similarly to Cross-Site
> Scripting
> in Opera (http://websecurity.com.ua/2555/), which I wrote about in 2008.
> All
> versions of IE6, IE7 and IE8 are affected to this hole.
>
> XSS (WASC-08):
>
> http://site/?--><script>alert("XSS")</script>
>
> For the attack it's needed to visit such URL and save html page as
> mht/mhtml
> file (Web archive). For executing of the code it's needed that file was
> saved not with mht or mhtml extension, but with htm or html extension.
> After
> that when opening saved page in any browser the code will run. Attacking
> code are saving inside of the file.
>
> This vulnerability - it's Saved XSS and Local XSS
> (http://websecurity.com.ua/4219/).
>
> To make hidden attack an iframe can be used in code of the page:
>
> <iframe src='http://site/?--><script>alert("XSS")</script>' height='0'
> width='0'></iframe>
>
> ------------
> Timeline:
> ------------
>
> 2010.11.12 - found vulnerability.
> 2010.11.12 - disclosed at my site.
> 2010.11.13 - informed Microsoft.
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/4677/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/