Sunday, May 11, 2008

Browser's Ghost Busters

Due to the news that there are a few ghost busters on the wild, and no one is willing to tell us exactly what's the ghost about, I've been doing some research to find out proof that those ghosts exist.

I'm talking about Manuel Caballero's talk A Resident in My Domain:

From one of the pictures it tells us that there's some relation to iframes.. and also from the description of the talk it tells us that it is able to capture non-domain-privileged DOM attributes and methods ( if we could steal cookies, then the description would be a lot more apocalyptic ).. and well, we also know it is cross-domain..

  1. So, the first "fact" is that using the iframes on any website, you can capture top.location's and keystrokes (this is well known).

  2. So, there's a way of modifying iframes on a window, on a domain is not ours.

  3. So, we need a way of getting a reference to a window.

There are some ways of doing that:

  • window.opener.window
  • open().window
  • frames[].window
  • top
  • parent
  • [maybe others I don't know]

  1. So, once we have that, we need a reference to the iframes.

There's 2 ways I know of doing that
  • document.getElementsByTagName("iframe");
  • window.frames[];
And, so.
  • getElementsByTagName fails (IE6, IE7, FF2, FF3, Safari 3).
  • window.frames[] doesnt fail (IE6, IE7, FF2, FF3, Safari 3);

So we will use window.frames[] to access the iframes.

Knowing that..

  1. We will try to modify the location of such frames.

We have a few ways of doing that.

  •"new location","frame-name");
  • frame.location="new location";
  •"new location","_self");

The modification of location of iframe's location work on windows inside frames on IE6, IE7, FF2, FF3 (go here and then use this code) but we wont use a frame in a frame to get the reference to the window, since we cant detach a window from a frame, and so, it is not what the bug is about.

Anyway, none of the mentioned method work for windows gotten from window.opener and open() on FF2 or FF3, but it does work on IE7 on windows gotten from open() and from window.opener.

  1. So so far, we have an exploit that only works on IE (6&7).
What do you say? is this the proton pack we were looking for?

For obvious reasons I wont disclose a IHE (Interactive Hacking Environment) as Caballero apparently has one, but I think this may be the bug, or some similar bug to the one he presented.


PS. This doesn't work on IE8. thanks to thornmaker for testing.
PS2. There's a version that works on IE8 and all versions of IE7: