Exploitalert - Database of Exploits

Microsoft Internet Explorer 6.0 embedded content cross site scripting

CVE	Category	Price	Severity
CVE-2009-0075	CWE-79	$500	High

Author	Risk	Exploitation Type	Date
Unspecified	High	Remote	2005-10-06

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

http://cxsecurity.com/ascii/WLB-2005090015

Microsoft Internet Explorer 6.0 embedded content cross site scripting scip AG Vulnerability ID 1746 (09/22/2005) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746 I. INTRODUCTION Microsoft Internet Explorer is since many years the most popular web browser. The main reason for this popularity is the default use in the latest releases of the Microsoft Windows operating system series. More Information are available at the official Microsoft Internet Explorer web site: http://www.microsoft.com/windows/ie/ II. DESCRIPTION Sven Vetsch found a cross site scripting vulnerability in the current releases of Microsoft Internet Explorer. Thus, it is possible to use a manipulated embedded content to run arbitrary script code in the security context of the website. The problem lies in the handling of the content of such files (e.g. a picture). In the first place the usual file header (e.g. for GIF files) is provided - The remaining content of the file could be usual html data. Therefore embedding script code in the latter may be possible. This injected code is executed by the HTML rendering engine of the web browser. In the proof-of-concept by Sven Vetsch and the examples of scip AG a GIF file is used (see chapter III). But it seems other files that could be embedded in an html file could be used too (e.g. JPG, WAV, AVI, RM/RAM). It seems that the Internet Explorer is putting all the data (HTML frame and embedded content) into one stream. Afterwards this one is put thru the rendering engine. This is not able to determine the real beginning and end of an embedded file. Content of those - not expected in any way - is handled as HTML code too. More details are available at the scip vulnerability Database at http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746 (german only). III. EXPLOITATION The following proof-of-concept has been published in the articles "Wie mit GIF-Bildern Cross Site Scripting-Angriffe im Internet Explorer umgesetzt werden knnen" in scip monthly Security Summary Issue 19. September 2005 (pp. 12-14)[1] and "GIF-Bug im Internet Explorer 6 - Proof of Concept" at computec.ch[2]: 01 <GIF89a? 8 ?f???> 02 <html> 03 <head> 04 <script> 05 alert("XSS"); 06 </script> 07 </head> 08 <body> 09 </body> 10 </html> As you can see in the line 01 the usual GIF89a header is given. But the following lines (02-10) come with common HTML and script code. Successfull exploitation requires streaming the content (e.g. the web site and the corrupted embedded content) from a web server over HTTP or HTTPS. Running the exploit locally is not possible because the handling of the data seems not to be the same. IV. IMPACT This seems to be a major problem. All web sites that allow the upload of files to use in further use are affected. For instance auction web sites as like eBay with a corrupted picture of the sell item or all board pages with the functionality of an avatar upload. V. DETECTION An attack attempt is not easy to detect. Content screening may be able to detect suspicous strings as like <script>. See chapter VI for more details and counter-measures. VI. WORKAROUND End users should change to another web browser engine that is not affected by this vulnerability. Successfull testings have been made with free browsers as like Mozilla Firefox up to 1.0.5, Netscape up to 8.0 and Opera. All of them are not affected. Web masters have to possibilities of preventing misuse of their systems: (1) They could de-activate all upload and embedding (e.g. BBcode or HTML code) in their web site. (2) The other solution would be a content check of untrusted files if they include scripting or html code. Strings as like <script> should raise the alarm and let the data throw away. Regulary expression as used in classical input validation of web applications can be applied here too. VII. VENDOR RESPONSE Microsoft has been informed in an early stage of elevation (see chapter IX) at 07/31/05. There were no real verification of the threat and danger in the response mail at 01/08/05. We expect the vendor is addressing the issue with an emergency patch the next few weeks/months. Tipp: Visit http://windowsupdate.microsoft.com on a regulary base. VIII. SOURCES scip AG Vulnerability Database (german) http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1746 scip monthly Security Summary, Issue 19. September 2005 (german) http://www.scip.ch/publikationen/smss/ computec.ch document data base (german) http://www.computec.ch/download.php?view.683 disenchant.ch advisory (german) http://www.disenchant.ch/fileadmin/downloads/papers/dok_svetsch_20050812 _02_gif_bug_im_ie6_poc.pdf IX. DISCLOSURE TIMELINE 07/15/05 Sven Vetsch detects the flaw 07/28/05 Discussion between Sven Vetsch and scip AG how to disclose the information 07/31/05 Sven Vetschs informs Microsoft 08/08/05 Semi-automated response by Microsoft 09/19/05 scip AG informes their registered Pallas and SMS customers[3] 09/19/05 Proof-of-concept published at computec.ch 09/19/05 Full article published in scip monthly Security Summary[1] 09/22/05 Public advisory X. CREDITS The vulnerability was discovered by Sven Vetsch. Sven Vetsch admin-at-disenchant.ch http://www.disenchant.ch Further analysis and disclosure of this information has been done by Marc Ruef at scip AG, Switzerland. Marc Ruef, scip AG maru-at-scip.ch http://www.scip.ch A1. BIBLIOGRAPHY [1] http://www.scip.ch/publikationen/smss/ (german) [2] http://www.computec.ch/download.php?view.683 (german) [3] http://www.scip.ch/dienstleistungen/pallas/ (german) A2. LEGAL NOTICES Copyright (c) 2005 by scip AG, Switzerland. Permission is granted for the re-distribution of this alert. It may not be edited in any way without permission of scip AG. The information in the advisory is believed to be accurate at the time of publishing. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage from use of or reliance on this advisory.

Impressum