[22925] in bugtraq
Re: Minor IE vulnerability: about: URLs
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Fri Oct 19 21:59:43 2001
Message-Id: <200110192143.KAA21780@fep4-orange.clear.net.nz>
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: bugtraq@securityfocus.com
Date: Sat, 20 Oct 2001 10:42:54 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Reply-To: nick@virus-l.demon.co.uk
Cc: "Clover Andrew" <aclover@1value.com>
In-reply-to: <D58B0195B58937489E89124469E57CA249D9C8@EX1.1value.com>
"Clover Andrew" <aclover@1value.com> wrote:
<<snip>>
> Vendor response: Probably won'tfix.
>
> A Microsoft chap pointed out that sites can already break out of the
> Restricted Sites Zone, simply by pointing at another site that is
> not in that Zone.
>
> (Cookies could similarly be shared by creating a 'cookie aggregator'
> site which could be redirected to in order to set the desired cookie
> and return to the originating site with a copy of all cookies set
> by different sites.)
>
> My response: in both cases, the 'rogue' site being redirected to can
> also be put in the Restricted Sites Zone to stop it. This is not the
> case with about: URLs, which are always in the Internet Zone and
> cannot be changed. External sites can also be foiled through
> firewalling and local blackhole routing, which about: cannot.
> Unlike external sites, about: URLs are processed instantaneously,
> making the user much less likely to notice them. Finally, an external
> cookie aggregator site would be subject to privacy policies and laws,
> which about: URLs cannot be.
>
> I think it is a shame that the usefulness of the Restricted Sites
> Zone feature and the locality restrictions on cookies are compromised
> in favour of a feature (about:something generating a page with
> 'something' on) that is undocumented, non-standard, little-known and
> of no conceivable legitimate use whatsoever.
Users just *may* be able to control handling of "about:" URLs (at
least insofar as breaking them completely counts as "controlling
them" 8-) ). There is a registry key:
HKCR\PROTOCOLS\Handler\about
which in the fairly default install of IE 5.5 on this machine holds
two values -- an empty default value and a CLSID string value set to
{3050F406-98B5-11CF-BB82-00AA00BDCE0B}. In HKCR\CLSID that CLSID is
described as "Microsoft HTML About Pluggable Protocol" and (not
surprisingly) an InProcServer of "%SystemRoot%\System32\mshtml.dll".
I imagine you could munge either the InProcServer value of the CLSID
to break all references to the about: protocol called through a CLSID
reference or just munge the CLSID value in the Protocol\about key to
break calls to the about: protocol via the approved mechanisms for
protocol handling. I don't have the time right now to play with this
(it's bound to require reboots between these registry changes!), but
if someone else does, I'm sure others than just me would like to hear
the results.
Assuming that works, I have no idea what the effect on "publicly
shareable" cookies would be, but suspect it would break them too.
Anyone??
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
