Cross-zone scripting
Encyclopedia
Cross-zone scripting is a browser exploit
taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation
within the client (web browser) executing the script. The vulnerability could be:
A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.
This type of vulnerability has been exploited to silently install various malware
(such as spyware
, remote control software, worms
and such) onto computers browsing a malicious web page.
introduced a security zone concept into Internet Explorer
. However, this is a generic issue which is not Internet Explorer specific; some other browsers also implicitly implement the Local Computer zone.
There are four well known zones in Internet Explorer:
These zones are explained in detail by
Q174360: How to use security zones in Internet Explorer.
There is also an additional hidden zone:
Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.
The following HTML is used to illustrate a naive (non-working) attempt of exploitation:
A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.
. It was discovered that the following URL
executed with "Trusted Sites" permission if windowsupdate.microsoft.com was listed as a trusted site.
Browser exploit
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user's browser settings without their knowledge...
taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
within the client (web browser) executing the script. The vulnerability could be:
- a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone.
- a web browser configuration error; unsafe sites listed in privileged zones.
- a cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
vulnerability within a privileged zone
A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.
This type of vulnerability has been exploited to silently install various malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
(such as spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
, remote control software, worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
and such) onto computers browsing a malicious web page.
Origins of the zone concept
Internet Explorer 4Internet Explorer 4
Microsoft Internet Explorer 4 is a graphical web browser released in September 1997 by Microsoft, primarily for Microsoft Windows, but also with versions available for Apple Mac OS, Solaris, and HP-UX and marketed as "The Web the Way You Want It".It was one of the main participants of the first...
introduced a security zone concept into Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
. However, this is a generic issue which is not Internet Explorer specific; some other browsers also implicitly implement the Local Computer zone.
There are four well known zones in Internet Explorer:
- Internet. The default zone. Everything which does not belong to other zones.
- Local intranet.
- Trusted sites. Usually used to list trusted sites which are allowed to execute with minimal security permissions (e.g. run unsafe and unsigned ActiveXActiveXActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality....
objects). - Restricted sites.
These zones are explained in detail by
Q174360: How to use security zones in Internet Explorer.
There is also an additional hidden zone:
- Local Computer zone (or My Computer zone). This zone is particularly interesting because it can access files on the local computer. Historically this zone has been extremely insecure, but in recent versions Internet Explorer (for Windows XP) steps have been taken to reduce risks associated with zone.
Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.
Cross-zone scripting into Local Computer Zone
This type of exploit attempts to execute code in the security context of Local Computer Zone.The following HTML is used to illustrate a naive (non-working) attempt of exploitation:
A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.
Cross-zone scripting into Trusted Sites Zone
A well known example is the %2f bug in Internet Explorer 6Internet Explorer 6
Internet Explorer 6 is the sixth major revision of Internet Explorer, a web browser developed by Microsoft for Windows operating systems...
. It was discovered that the following URL
http://windowsupdate.microsoft.com%2f.example.com/
executed with "Trusted Sites" permission if windowsupdate.microsoft.com was listed as a trusted site.
External links
- Secunia SA11830 Internet Explorer Security Zone Bypass and Address Bar Spoofing An vulnerability in (Internet Explorer) reported by bitlance winter which allows cross-zone scripting into Trusted Sites)
- Q174360: How to use security zones in Internet Explorer. Microsoft article explaining the Zone concept and how to configure it