Thursday, October 21, 2010

Minor leak, major headache

I find this bug interesting, because at first it looks like a relatively minor cross-origin leak. But with a bit of investigation, it has major consequence.

The bug is specific to Internet Explorer, and still seems unfixed (in stable versions) at the time of writing. I told Microsoft about it back in 2008. Therefore this disclosure is not an 0-day, but more like a 600-day.

The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then uses <script src="http://www.bank.com/">. We'll demonstrate the consequence of this later.

The bug has a very interesting history, which is worth briefly outlining here:
So why is this a serious bug? Well, Javascript error messages are usually pretty terse but in at least one case, cross-origin content is echoed back to the attacker: variable names. e.g. 'blah' is not defined.

So if the cross-origin text looks like a Javascript variable reference, then the attacker has a very useful leak!

Here is a proof-of-concept against Google Reader, which works by stealing cross-origin content which happens to be an anti-XSRF token:

http://scary.beasts.org/misc/reader.html

As it happens, the Reader product deployed a change which detects the vulnerable User-Agent string (Internet Explorer) and uses a workaround. So the PoC is neutered. This is a shame because the PoC used to force your friend to subscribe to a goat-farming feed against their will. For now, you'll have to locate an alternate attack vector for this vulnerability -- do let me know what you find via a comment.

It's worth closing with some notes that this area is ripe for further research. There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick:
  • a,b,c -- i.e. the CSV syntax
  • The b in a:b
  • a.b.c
  • The b in {a:b}
  • Expression constructs such as a/b/c
  • Constructs like the above, if wrapped in () or [] etc.
To experiment with what Javscript error message you might see with a given piece of cross-origin text, you can use:

http://scary.beasts.org/misc/onerr.html

(Only works in browsers with window.onerror, such as IE).

Please leave a comment if you have more constructs which can be stolen; or more examples of sites where stuff can be stolen from.

3 comments:

Rebecca Menessec said...

Just to be clear: does this vulnerability affect all versions of IE, including 9-preview, or are MS only refusing to expend the effort on "obsolete" versions of IE?

Chris Evans said...

@Rebecca: I believe it's fixed in IE9 preview although I have not confirmed myself. This does not help the majority of IE users, who will be surfing using the supported versions 6, 7 and 8.

Rebecca Menessec said...

@Chris: No, and it'll screw 2K users (they still exist, and I still support some) and XP users (truckloads). I know. I was just wondering if this was the increasingly-usual stance of, "Well, I *guess* we'll fix it, since we're putting new code out. But only in the one new version."

I realize they have to be able to prioritize to some extent, but I'm wicked tired of hearing that something is a "low-risk" vulnerability, and as such doesn't deserve fixing. Ever.

I could see three tiers: 1) OoC release, 2) Patch Tuesday, 3) 2-3 Patch Tuesdays. But apparently the third tier is actually "whenever, if ever; probably never".

Coming at the same time as today's publicity of slipping IE and specifically IE8 marketshare, it feels like Microsoft is abandoning IE, for all that they "put the team back together".