Re: Major Internet Explorer Vulnerability - NOT Patched

[David Leo <david.leo () deusen co uk>]

'could you share the contents of "1.php"?'
Sure:
<?php
sleep(2);
header("Location: http://www.dailymail.co.uk/robots.txt";);
?>

"I'm assuming it is a delayed re-direct to the target's domain?"
Exactly. :-)

"the cloudflare scripts"
It's been tested without them.

Kind Regards,

On 2015/2/6 2:31, Barkley, Peter wrote:
> Thanks Zaakiy,
>
> I'm able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot attached. 
> I'm sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in the exploit 
> html page.
>
> David, could you share the contents of "1.php"? I'm assuming it is a delayed re-direct to the target's domain? I am 
> unable to reproduce the exploit locally with the same code (assuming my 1.php is correct), though without the cloudflare scripts.
>
> Thanks,
> Peter
>
>
> Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada
>
>
>
> -----Original Message-----
> From: Fulldisclosure [mailto:fulldisclosure-bounces () seclists org] On Behalf Of Zaakiy Siddiqui
> Sent: 2015, February, 04 6:46 PM
> To: David Leo; Joey Fowler
> Cc: fulldisclosure () seclists org; bugs () securitytracker com; bugtraq () securityfocus com; cve-assign () mitre org
> Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
>
> Hi David,
>
> Nice one…great find!  And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions.
>
> I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11).
>
> I can also confirm that IE 10 is affected.
>
> IE 9 appears to not be vulnerable. Screenshots below.
>
> Regards,
> Zaakiy Siddiqui
>
>
> IE 11 Spartan - vulnerable (Windows 10)
>
> [cid:Image1466.png@14b56f08dd75bb]
>
> [cid:Image1487.png@14b56f6487b5d0]
>
>
> IE 10 - vulnerable (Windows 7)
> [cid:Image1485.jpg@14b56f5f5025ce]
>
> IE 9 - not vulnerable (Windows 7)
>
> [cid:Image1503.jpg@14b56fa3c785e0]
>
>
> From: David Leo<mailto:david.leo () deusen co uk>
> Sent: ‎Wednesday‎, ‎4‎ ‎February‎ ‎2015 ‎11‎:‎13‎ ‎PM
> To: Joey Fowler<mailto:joey () tumblr com>
> Cc: bugtraq () securityfocus com<mailto:bugtraq () securityfocus com>, fulldisclosure () seclists org<mailto:fulldisclosure () 
> seclists org>, bugs () securitytracker com<mailto:bugs () securitytracker com>, cve-assign () mitre org<mailto:cve-assign () mitre 
> org>
>
> Microsoft was notified on Oct 13, 2014.
>
> Joey thank you very much for your words.
>
> Kind Regards,
>
> On 2015/2/3 4:53, Joey Fowler wrote:
> > Hi David,
> >
> > "nice" is an understatement here.
> >
> > I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard 
> > HTTP-to-HTTPS restrictions.
> >
> > As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it 
> > executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting 
> > HTML instead of JavaScript, that is).
> >
> > It looks like, through this method, all viable XSS tactics are open!
> >
> > Nice find!
> >
> > Has this been reported to Microsoft outside (or within) this thread?
> >
> > --
> > Joey Fowler
> > Senior Security Engineer, Tumblr
> >
> >
> >
> > On Sat, Jan 31, 2015 at 9:18 AM, David Leo <david.leo () deusen co uk <mailto:david.leo () deusen co uk>> wrote:
> >
> >      Deusen just published code and description here:
> >      http://www.deusen.co.uk/items/__insider3show.3362009741042107/ 
> > <http://www.deusen.co.uk/items/insider3show.3362009741042107/>
> >      which demonstrates the serious security issue.
> >
> >      Summary
> >      An Internet Explorer vulnerability is shown here:
> >      Content of dailymail.co.uk <http://dailymail.co.uk> can be changed by external domain.
> >
> >      How To Use
> >      1. Close the popup window("confirm" dialog) after three seconds.
> >      2. Click "Go".
> >      3. After 7 seconds, "Hacked by Deusen" is actively injected into dailymail.co.uk <http://dailymail.co.uk>.
> >
> >      Technical Details
> >      Vulnerability: Universal Cross Site Scripting(XSS)
> >      Impact: Same Origin Policy(SOP) is completely bypassed
> >      Attack: Attackers can steal anything from another domain, and inject anything into another domain
> >      Tested: Jan/29/2015 Internet Explorer 11 Windows 7
> >
> >      If you like it, please reply "nice".
> >
> >      Kind Regards,
> >
> >
> >      _________________________________________________
> >      Sent through the Full Disclosure mailing list
> >      https://nmap.org/mailman/__listinfo/fulldisclosure <https://nmap.org/mailman/listinfo/fulldisclosure>
> >      Web Archives & RSS: http://seclists.org/__fulldisclosure/ <http://seclists.org/fulldisclosure/>
>
> _______________________________________________________________________
> If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have 
> consented to receive the attached electronically at the above-noted email address; please retain a copy of this 
> confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un 
> autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée 
> ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/