Aviv Raff drops an 0-day for IE 7.0 and 8.0b on XP

Aviv Raff drops an 0-day for IE 7.0 and 8.0b on XP

Summary: I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man.  I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other areas of attack.

SHARE:
6

I've been busy all day and just haven't been able to get to it until now, but Aviv Raff is a seriously bad man.  I follow his blog religiously as he always has some cool stuff going on and a lot of it tends to be thought provoking for other areas of attack.  Well, imagine my lack of surprise when he dropped and 0-day for IE 7.0 and 8.0b on XP today.  He calls the flaw: Internet Explorer "Print Table of Links" Cross-Zone Scripting Vulnerability.

I'll leave it to Aviv to explain, full details on his blog, including proof of concept code that he has provided, but I'll paraphrase things here:

Summary

Internet Explorer is prone to a Cross-Zone Scripting vulnerability in its “Print Table of Links” feature. This feature allows users to add to a printed web page an appendix which contains a table of all the links in that webpage.

An attacker can easily add a specially crafted link to a webpage (e.g. at his own website, comments in blogs, social networks, Wikipedia, etc.), so whenever a user will print this webpage with this feature enabled, the attacker will be able to run arbitrary code on the user’s machine (i.e. in order to take control over the machine).

Actually, an unvalidated thought on this, so don't quote me on it, but a nice deployment vector might be to use an online word processor, like Google docs, provide someone the capability to print from HTML version of the doc... something similar to this where a user would definitely want to print the information, rather than just read it online.

Technical details

Whenever a user prints a page, Internet Explorer uses a local resource script which generates an new HTML to be printed. This HTML consists of the following elements: Header, webpage body, Footer, and if enabled, also the table of links in the webpage.

While the script takes only the text within the link’s inner data, it does not validate the URL of links, and add it to the HTML as it is. This allows to inject a script that will be executed when the new HTML will be generated.

As I said in a previous post, most of the local resources in Internet Explorer are now running in Internet Zone. Unfortunately, the printing local resource script is running in Local Machine Zone, which means that any injected script can execute arbitrary code on the user’s machine.

Oh boy does that sound familiar?  Actually, brings up something I've been meaning to blog about which will be the subject of my presentation with Rob Carter, John Heasman, and Billy Rios at Black Hat Vegas.  One of the most concerning things about cross-site scripting is when you can execute your script in a higher privileged zone, as Aviv has here.  In some cases, you can actually run arbitrary commands on the operating system, read/write files, and definitely make all the cross-domain requests (with cookies) that you'd like.  I'll save this for a different blog posting, because that was always the plan, but if you are interested in seeing more on this, Rob Carter has been hitting this really hard over at his blog.

Well done as always Aviv, very interesting work.

This is currently unpatched and in all of its 0-day glory, so for the time being, beware printing using the "print table of links" option when printing web pages.  Seriously, just print this link, I dare you... no, j/k, but be safe.

-Nate

Topics: Browser, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Vista is NOT affected because UAC and IE7's protected mode

    Vista is NOT affected because there're UAC and IE7's protected mode.
    Yet another reason to use Vista!
    qmlscycrajg
    • Actually...

      Aviv Raff states on his blog that it is affected for Information disclosure, but that's it. I'm not sure what level of info disclosure we're talking about there though.

      -Nate
      nmcfeters
      • Vista NOT affected by code execution

        Vista NOT affected by code execution
        qmlscycrajg
        • Correct, which I also stated (NT)

          (NT)
          nmcfeters
        • Vista is recommended ...

          For putting your private information at risk, but not for joining the bot-net!! At least not from this particular vulnerability. ((o;)<

          However you could save the cost of the OS by just starting up a Facebook or Myspace page with your existing OS. At least then you won't have to get permission from UAC every time you want to do something...
          Still Lynn
  • title font

    The font used for the title makes "0-day" look like "o-day". What a stupid font.
    herorev