Cross-zone scripting
Web Design & Development Guide
Cross-zone scripting
Home Up
Cross-zone scripting is a
browser exploit taking advantage of a
vulnerability within a
zone-based
security solution. The attack allows content (scripts) in unprivileged
zones to be executed with the permissions of a privileged zone - i.e. a
privilege escalation within the client (web browser)
executing the script. The vulnerability could be:
- a web browser bug which under some conditions allows content
(scripts) in one zone to be executed with the permissions of a higher
privileged zone.
- a web browser configuration error; unsafe sites listed in
privileged zones.
- a
cross-site scripting vulnerability within a privileged zone
A common attack scenario involves two steps. The first step is to use a Cross
Zone Scripting vulnerability to get scripts executed within a privileged zone.
To complete the attack, then perform malicious actions on the computer using
insecure ActiveX components.
This type of vulnerability has been exploited to silently install various
malware (such as spyware, remote control software, worms and such) onto computers browsing a malicious web page.
Origins of the zone concept
Internet Explorer introduced a security zone concept into
Internet Explorer. However, this is a generic issue which is not Internet
Explorer specific; some other browsers also implicitly implement the Local
Computer zone.
There are four well known zones in Internet Explorer:
- Internet. The default zone. Everything which does not belong to
other zones.
- Local intranet.
- Trusted sites. Usually used to list trusted sites which are
allowed to execute with insane security permissions (e.g. run unsafe and
unsigned
ActiveX objects).
- Restricted sites.
These zones are explained in detail by
Q174360: How to use security zones in Internet Explorer.
There is also an additional hidden zone:
- Local Computer zone (or My Computer zone). This zone is
particularly interesting because it can access files on the local computer.
Historically this zone has been extremely insecure, but in recent versions
Internet Explorer (for Windows XP) steps have been taken to reduce risks
associated with zone.
Local intranet, Trusted sites and Local Computer are
usually configured to be privileged zones. Most Cross Zone Scripting attacks are
designed to jump from Internet zone to a privileged zone.
Cross-zone scripting examples
Cross-zone scripting into Local Computer Zone
This type of exploits attempts to execute code in the security context of
Local Computer Zone.
The following HTML is used to illustrate a naive (non-working) attempt of
exploitation:
<HTML>
<IMG SRC="attack.gif">
<SCRIPT SRC="file://C:\Documents and Settings\Administrator\
Local Settings\Temporary Internet Files\attack.gif>
</HTML>
Explanation: the HTML code attempts to get attack.gif loaded into the
cache by using an IMG SRC reference. Then a SCRIPT SRC tag is then used to
attempt executing the script from the Local Computer Zone by addressing
the local file in cache.
Cross-zone scripting into Local Intranet Zone
Consider this scenario
- an attacker could (somehow) know of a
cross-site scripting vulnerability in on
http://intranet.example.com/xss.php
- a lot of http://intranet.example.com users regularly visit
http://www.example.com/, where anyone can add Cool links.
- Attacker adds a Cool link to:
http://intranet.example.com/xss.php?<script>alert()</script>
A computer which considers intranet.example.com a part of Local Intranet
zone will now successfully be cross zone scripted.
Cross-zone scripting into Trusted Sites Zone
A well known example is the
%2f bug in Internet Explorer. It was discovered that the following URL
http://windowsupdate.microsoft.com%2f.example.com/
executed with "Trusted Sites" permission if windowsupdate.microsoft.com
was listed as a trusted site.
External links
Home Up Browser exploit Cross-site cooking Cross-site request forgery Cross-site scripting Cross-zone scripting Directory traversal Evil twin (wireless networks) HTTP response splitting IDN homograph attack Referer spoofing Session fixation Session poisoning Website spoofing
|