• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Internet Explorer CSS import vulnerability

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
matang
Just Arrived
Just Arrived


Joined: 01 Dec 2005
Posts: 0


Offline

PostPosted: Thu Dec 01, 2005 12:54 pm    Post subject: Internet Explorer CSS import vulnerability Reply with quote

Hello,

It seems that IE has a serious design flaw in its Cascading Style Sheets imports mechanism. This flaw allows an attacker to bypass cross domain restrictions and fetch snippets of code from another site.

To import a CSS file to a page one can use the @import directive in the STYLE section of a web page or use the handy IE only method "addImport". The imported style sheets can later be read by using the "cssText" property in the "document.styleSheets" collection.

IE's lenient CSS parser allows one page to do an import on a URL that is not a valid CSS file. Afterwards the "cssText" property can be read with pieces of code from that URL that were mis-parsed as CSS rules. Since CSS rules have a certain structure the amount of code that can be gleaned from a remote site depend a lot on the target site's design and code. The target site must have some combination of curly braces, colons and semi colons so pieces of code can be seen in the cssText property. Since most modern sites have javascript code and CSS rules embedded on the pages themselves, it's almost always possible to retrieve at least some code.

An attacker can improve his luck by injecting these characters into the target site through parameters in the URL. Many sites allow these characters to come through unchanged since they consider them harmless. Through trial and error, an attacker may be able to retrieve large portions of the target site.

Using this vulnerability I was able to exploit Google Desktop to search and retrieve private user information, such as passwords and credit card numbers, from a local hard drive. Google Desktop's interface is actually a web server that listens on port 4664 on the localhost address. To access it one must have a valid key that's randomly generated. A link to "Desktop" appears on all of Google's websites once a user installs it. This link is injected through a browser plugin.

By CSS importing the Google News website with a query that inject the curly braces I was able to retrieve the "Desktop" link with the valid key. Then it's simply a matter of doing another CSS import on the URL of the local webserver with the valid key plus a query for what I needs to be found on the local hard drive. By injecting a "{" character into this query I was able to retrieve the all the search results from the query.

This vulnerability extends way beyond Google Desktop. I was able to exploit at least one other webmail service using this technique. It's very much like classic XSS attacks only here the target site doesn't have to be vulnerable to script injection.

Firefox doesn't seem to be affected since it enforces cross domain restrictions on CSS imports. Opera doesn't support the "styleSheets" collection so it's not vulnerable as well. I tested this vulnerability on a fully patched IE6 browser and earlier versions are possibly vulnerable as well.

I have a more thorough discussion about this on my website at:
http://www.hacker.co.il/security/ie/css_import.html

A proof of concept for the Google Desktop exploit can be found here:
http://www.hacker.co.il/security/ie/gdsexploit.html
(Note that it only works on IE browsers with Google Desktop v2 installed)

Matan Gillon
http://www.hacker.co.il
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register