If at first you don't succeed; call it version 1.0
Wednesday, May 14, 2008

Summary

Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its “Print Table of Links” feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.

An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user’s machine (i.e. in order to take control over the machine).

Affected version

Internet Explorer 7.0 and 8.0b on a fully patched Windows XP.

Windows Vista with UAC enabled is partially affected (Information Leakage only).

Earlier versions of Internet Explorer may also be affected.

Technical details

Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.

While the script takes only the text within the link’s inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.

As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user’s machine.

printtableoflinks

Proof of Concept

The following is an example of a URL which executes Windows Calculator:


http://www.google.com/?q=<script defer>new ActiveXObject(“Wscript.Shell”).run(“calc”)</script>

 

I removed the proof-of-concept of the 0day treasure hunt. A live proof-of-concept can be found at milw0rm.

Solution / Suggestion

I’ve contacted Microsoft last Tuesday. Their last response was that they are looking at an appropriate fix.

Until a patch is available, I suggest not to use the “print table of links” feature when printing a webpage.


Wednesday, May 14, 2008 1:12:52 PM UTC | Comments [8] | Security#
Wednesday, May 14, 2008 6:33:28 PM UTC
it's disabled by default
arkon
Wednesday, May 14, 2008 10:51:23 PM UTC
Well, the "print table of links" feature is marked off by default (IE7+IE8b).. so to exploit this issue, a user must visit a maliciously crafted page or a trusted site with content injected by an attacker (XSS/SQL inj'), prompt to print the and manually mark "print table of links" on...

No question this vulnerability severity is high, but the exploitation probability is very low.

Nice find.
Friday, May 16, 2008 6:12:19 PM UTC
Note, in Vista, the user is asked for permission first. This is still an issue, so don't get me wrong. Just want to make sure it is known that Vista protects the user in this case.
Friday, May 16, 2008 6:30:57 PM UTC
yet another reason to keep UAC enabled :-)
Saturday, May 17, 2008 12:58:39 AM UTC
Very cool, thx for sharing this
Saturday, May 17, 2008 10:14:21 PM UTC
I unfortunately havent got a printer right now to test, as a consequence the html is sent to MS Office One Note. But, even if the exploit triggers corretly, you CANNOT instantiate the Wscript.Shell Activex control, even in the local machine zone. (you will get an activex warning). ah and what about local machine zone lockdown feature?...I suppose this is not applied to this local resource script and that this particular script engine permits you to instantiate unsafe activex such as Wscript.Shell.
anyways thank you for this one, it gave me a light to improve a particular issue I found out months ago. (still works :P )
Friday, September 19, 2008 1:56:13 AM UTC
using IE8b2 with XP SP3, there is no calc executed, perhaps it is fixed in the IE8b2 ?
Friday, December 26, 2008 7:36:55 PM UTC
<html>
<body>
Print me with table of links to execute calc.exe

<script>window.print();</script>
</body>
</html>
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.