Full Disclosure mailing list archives
Re: Major Internet Explorer Vulnerability - NOT Patched
From: Justin Steven <justin () justinsteven com>
Date: Thu, 5 Feb 2015 12:37:52 +1000
is this entirely an IE flaw, or is it tied to the use of Cloudflare by
the targeted site as well as the attacking site? No, this is entirely an IE flaw. I've repro'd on domains that I know don't use cloudflare, from a domain that doesn't use cloudflare. There's a great teardown on this POC by @filedescriptor at http://innerht.ml/blog/ie-uxss.html -- Justin On 5 February 2015 at 05:29, Ben Lincoln (F7EFC8C9 - FD) < F7EFC8C9 () beneaththewaves net> wrote:
So here's a possibly stupid question: is this entirely an IE flaw, or is it tied to the use of Cloudflare by the targeted site as well as the attacking site? I ask because: 1 - I tried to reproduce the attack in a number of ways without using CloudFlare, and was unsuccessful. 2 - Since I don't have access to a CloudFlare account, I used Burp to do a find/replace for proxied response headers and bodies on " www.dailymail.co.uk" and then "dailymail.co.uk" with a target domain which does not use Cloudflare, then accessed the Deusen demo page. The injection attempt failed. 3 - I then used Burp in the same way, but replaced "www.dailymail.co.uk"/" dailymail.co.uk" with a target domain which *does* use CloudFlare, and the injection attempt succeeded. If this is true, am I correct in thinking that while this definitely involves a vulnerability in IE, it also depends at least on targeting website owners who use JavaScript hosted on shared domains (CloudFlare, in this case), which is inherently riskier than hosting it all on one's own domain due to the way cross-domain security works in modern browsers? I don't have time to to a teardown on CloudFlare.JS, but does this also depend on some sort of code vulnerability in that file? Even if one or both of those caveats are true, it's a very impressive exploit, but I'd like to make sure the label "universal" is actually justified. Sorry if this has already been discussed elsewhere. I couldn't find anything when I looked. - Ben On 2015-02-02 12:53, Joey Fowler wrote:Hi David, "nice" is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk> wrote: Deusen just published code and description here:http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window("confirm" dialog) after three seconds. 2. Click "Go". 3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply "nice". Kind Regards, _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Major Internet Explorer Vulnerability - NOT Patched David Leo (Jan 31)
- Re: Major Internet Explorer Vulnerability - NOT Patched Joey Fowler (Feb 02)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Dan Ballance (Feb 12)
- Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Dimitris Strevinas (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Ben Lincoln (F7EFC8C9 - FD) (Feb 07)
- Message not available
- Re: Suspicious URL:Re: Major Internet Explorer Vulnerability - NOT Patched Christoph Gruber (Feb 11)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Justin Steven (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Joey Fowler (Feb 02)
- <Possible follow-ups>
- Re: Major Internet Explorer Vulnerability - NOT Patched Zaakiy Siddiqui (Feb 04)
- Re: Major Internet Explorer Vulnerability - NOT Patched Barkley, Peter (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched David Leo (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Barkley, Peter (Feb 07)
- Re: Major Internet Explorer Vulnerability - NOT Patched Sijmen Ruwhof (Feb 11)