Topics of Interest
- Application Protocol Fuzzing
- Cloud Computing and Virtualization
- Custom Applications and Attacks
- Cyber Warfare
- Data Center Planning and Consolidation
- DDoS and Botnet Simulation
- Deep Packet Inspection
- IPTV
- IPv4/IPv6
- Layer 2-7
- Network Traffic Generation
- Performance Testing
- Security Updates
- Server Load Testing
- VoIP
- 10/40/100 GigE
Devices
MS07-033: Navigation Cancel Page Vulnerability
On June 12th, Microsoft released an update to cover the five vulnerabilities addressed in MS07-033. One of the flaws, titled "Navigation Cancel Page Spoofing Vulnerability" (CVE-2007-1499), demonstrated a common problem in how resource URLs are used in Internet Explorer. This vulnerability allowed an attacker to modify the URL used in the Refresh link of the Navigation Cancelled screen of Internet Explorer 7. To exploit this flaw, an attacker would redirect the victim to a res://ieframe.dll/navcancl.htm resource URL that contains a hash character (#) and a crafted XSS string.
The vulnerability occurs in one of the included javascript functions of the navcancel.htm page. You can view the source yourself by entering that res:// URL into the location bar of Internet Explorer 7, right-clicking the page, and selecting the View Source menu item. At the top of the HTML source, we see two script tags that load in external javascript files. These files are errorPageStrings.js and httpErrorPagesScripts.js. If we enter the URL for the httpErrorPagesScripts.js into the location bar, we see a function named navCancelInit() in the javascript source. This function looks at the parameter in the URL and then rewrites the Refresh link to point to this location. The only restriction is that the value after the hash mark must begin with http(s)://, ftp://, or file://. The problem with this code is that an attacker can insert a double-quote and close-parenthesis into the URL and then append arbitrary javascript, which will be executed within the context of the resource domain. For example, the following URL will cause an alert box to pop up when the Refresh link is clicked:
res://ieframe.dll/navcancl.htm#http://BOGUS/");alert("Hello");// After a quick review, it appears that most IPS vendors detect this attack by looking for a link to res://ieframe.dll/navcancl.htm that contains a double-quote in the parameter. What they missed is that this location can also be accessed using a link to about:cancel. For example, the following URL will exploit this vulnerability the exact same way: about:cancel#http://BOGUS/");alert("Hello");//The list of mappings between about URLs and resource links can be found in the HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs registry key.StrikePack 11995 included two strikes for this vulnerability, ms07_033_navcancel_xss_about.xml and ms07_033_navcancel_xss_res.xml, which can be found in the /strikes/exploits/browser/ directory of the strike tree.
Tags: