A ghost in your browser ?

“Do you believe in ghosts?” This is the catchy question Manuel Caballero used to introduce his presentation at the "BlueHat" conference held by Microsoft last May. He then explained that he had discovered a vulnerability in Internet Explorer that would allow an attacker to insert in a webpage a malicious script which when downloaded, can spy any visitor and follow him (as an invisible ghost) while surfing on other websites. He did not reveal the details of this vulnerability, which in turn generated a large interest from researchers who were baptized as "browser ghost busters". And ultimately, this is not only one vulnerability that was discovered, but two!

Before describing these vulnerabilities, we first have to introduce the concept of "cross-domain security" for Web browsers. This concept exists both in Firefox (which names it "same origin policy") and in Internet Explorer (which refer to it as "cross-domain security model"). It aims at limiting the possible interactions between web browser windows. If several windows exist (or when a single window includes several frames), then a JavaScript code in a given window is allowed to act on another window (for example a child window) only if the two windows belong to the same DNS domain. For example, a window displaying data from www.microsoft.com can act only on windows displaying data from this same domain. If the cross-domain control is not properly implemented (such a flaw  is called a "cross-domain" vulnerability), a possible attack could be for the parent window (which is under the attacker’s control) to spy the activity of a child window (which may be for example a "frame" embedded in the parent window) and capture all the keystrokes while this child window is surfing the Internet.

Actually, this attack is exactly the "ghost in the browser" attack described by Manuel Caballero. Eduardo Vela (www.sirdarckcat.net) has effectively proven that, by demonstrating that a flaw exists in Internet Explorer (versions 6, 7 and 8 beta) which could be used to circumvent the "cross-domain" security model. Because of that flaw, a parent window can illegally interact with a child window while the latter is surfing other websites. However, the interactions that are possible due to this vulnerability, are limited. It is not possible for example to steal user’s cookies. On the other hand, it is actually possible to listen for keyboard inputs, as evidenced by the PoC developed by Eduardo Vela.

A second "cross-domain" vulnerability was found in June 2008 by a group of Chinese hackers (the group "Ph4nt0m Security Team") and described in "PSTZine" (a Chinese hacking newspaper). The second vulnerability is more severe that the first one, because in this case it is possible for the attacker to steal cookies coming from other websites through that vulnerability. In fact, it is likely that this "cross-domain" vulnerability allows the parent window to have a complete control over a child window. According to the discoverers, this vulnerability only exists in version 6 of Internet Explorer. Aviv Raff published a test page showing the vulnerability.

Both vulnerabilities are tracked by the Cert-IST under the reference FA-2008.0117. They are also described by the US-CERT under the references VU#516627 and VU#923508. The overall consequence of these vulnerabilities is to allow an attacker who builds a malicious web page to steal data from the user who visits this page. This consequence is quite comparable to the consequences of a  "Cross-site scripting" vulnerability.

For more information:

• Description of the vulnerability by Ryan Naraine: http://blogs.zdnet.com/security/?p=1348