Cross-zone scripting

Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be:

A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.

This type of vulnerability has been exploited to silently install various malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page.

Origins of the zone concept

Internet Explorer 4 introduced a security zone concept into Internet Explorer. However, this is a generic issue which is not Internet Explorer specific; some other browsers also implicitly implement the Local Computer zone.

There are four well known zones in Internet Explorer:

These zones are explained in detail by Q174360: How to use security zones in Internet Explorer.

There is also an additional hidden zone:

Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.

Examples

Into the local computer zone

This type of exploit attempts to execute code in the security context of Local Computer Zone.

The following HTML is used to illustrate a naive (non-working) attempt of exploitation:

<HTML>
<IMG SRC="attack.gif">
<SCRIPT SRC="file://C:\Documents and Settings\Administrator\
         Local Settings\Temporary Internet Files\attack.gif">
</HTML>

Explanation: the HTML code attempts to get attack.gif loaded into the cache by using an IMG SRC reference. Then a SCRIPT SRC tag is used to attempt executing the script from the Local Computer Zone by addressing the local file in cache.

Into the local intranet zone

Consider this scenario:

http://intranet.example.com/xss.php?<script>alert()</script>

A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.

Into the trusted sites zone

A well-known example is the %2f bug in Internet Explorer 6. It was discovered that the following URL

http://windowsupdate.microsoft.com%2f.example.com/

executed with "Trusted Sites" permission if windowsupdate.microsoft.com was listed as a trusted site.

External links

This article is issued from Wikipedia - version of the 12/9/2015. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.