If at first you don't succeed; call it version 1.0
Saturday, 10 March 2007

Whether the vulnerability is cross-site scripting, cross-domain scripting or cross-zone scripting, sooner or later an attacker will need to inject a code in order to exploit it. The difference between each of these types is the context.

When we talk about a cross-site or cross-domain scripting vulnerabilities, we mean that an attacker can execute the injected code within the context of a different internet site or domain. However, when an attacker exploits a cross-zone scripting vulnerability, the context is now changed from an internet site to an intranet site, or even worse - pages in local zone.

Intranet sites and pages running in local zone are often and by default run with less security restrictions than internet sites. This means that if an attacker can execute his own code in intranet site or local zone, he will eventually be able to execute malicious code on the victim's machine.

A good example for the difference between those vulnerability types is the quicktime vulnerability that was found by pdp. When this vulnerability was exploited by the Myspace worm, this was a cross-site vulnerability. Only internet sites were involved, and it was used to steal MySpace accounts information. In MoAB#3, I've introduced a way to exploit this vulnerability in the context of local-zone. This means, that it is now a cross-zone scripting vulnerability, and an attacker can use quicktime to execute malicious code on the user's machine.
MoAB#3 also used another vulnerability found by hdm in one of the local resources of Win2k. As Internet Explorer restricts linking to local resources (res:// files), I used quicktime to do it.

Lately, I've found that it is possible to open a local resource in Internet Explorer without the need for any additional plug-in (like quicktime). By using a simple redirection header, an attacker can link and open a local resource and bypass Internet Explorer's restriction. I've tested this on IE6 SP2, IE7 and IE7 on Vista.
Now, this alone might not be a big issue, as Microsoft now runs most of the local resources in the Internet Zone, but it might be used to perform other types of cross-site scripting attacks.


Saturday, 10 March 2007 23:26:18 UTC | Comments [1] | Security#
Monday, 31 December 2007 16:13:25 UTC
So what do I do to fix the problem? This is messed up all I wanted to do was to print something for my kids,off their new Fisher Price Easy Link they got for Christmas........ What's up with that!!!!

Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.