Re: Cookiejacking attack technique

[Rosario Valotta <valotta.rosario () gmail com>]

Hi Vladimir,
using my approach only files in the Cookies folder can be accessed, being
them cookies or not.
You cannot escape that sandbox.
About IE9 I've tested it on the same version and it works, MS has confirmed
the vuln by the way ;-)
About opening arbitrary files, pay attention to 2 issues:
1- one thing is displaying a file in a frame, a different thing is accessing
them, that's why drag&drop is needed...have a look at my slides ;-)
2- not any file, just files in the cookies folder

regards
Rosario

2011/5/25 Владимир Воронцов <vladimir.vorontsov () onsec ru>

> Great work!
>
> Technique can be used to stealing any data.
> In example, content from remote iframes.
> And from any local file, i.e. browser cache, configs and other.
>
> But there is problem to open urls in file:// zone from http:// zone.
> Recently i founded Chrome vuln, which provide that.
> See https://docs.google.com/present/view?id=dcm4kmp7_18w8945rdw slides
> 20-23.
>
> In your work, you say about redirect in IE9, but it is didn't work for me
> (9.0.8112.16421).
>
> If it is possible to open file:// from http:// in IE9, then possible to
> stealing any local file without user actions :)
>
> On Wed, 25 May 2011 00:17:21 +0200, Rosario Valotta
> <valotta.rosario () gmail com> wrote:
> > Hi,
> > last week, in two security conferences I showed a new attack technique
> > called Cookiejacking that allows to steal session cookies without any
> XSS
> > vulnerability.
> >
> > https://www.swisscyberstorm.com/speakers/valotta
> > http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
> >
> > All previous approaches on the same topic used at least an XSS or a Man
> in
> > the middle attack (eg Firesheep) to steal cookies.
> > In this approach I use a 0-day vulnerabilty affecting all versions of IE
> on
> > every Windows OS and an advanced Clickjacking attack in order to trick
> > users
> > in dragging & dropping their cookies.
> >
> > You can steal any cookie (http only, secure cookies, whatever the
> website)
> > of every Win user!
> >
> > If it is interesting, on my blog you can find a writeup and a couple of
> > videos.
> > https://sites.google.com/site/tentacoloviola/cookiejacking
> >
> > Regards
> >
> > Rosario Valotta
>
> --
> Best regards,
> Vladimir Vorontsov
> ONsec security expert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/