bmonday(dot)com

What a long strange trip this will be

Site Links

Post Categories

Articles

Archives

Image Galleries

Blog Stats

Conferences

Distractions

Security Links

BlogRoll

(* = recently updated)

IE Chromeless Windows Vulnerability Demonstration

An interesting thread developed over the weekend on BugTraq about a flaw in IE (all the way up through version 6 SP1) revolving around the exploitability of "chromeless" windows. Chromeless windows are screen objects that do not have the normal borders and other controls attached to them. As such, they can easily be placed anywhere on the screen, and (here is the problem) be made to obscure or even change important messages from the system.

I present, for your consideration, the following web site (it is not malicious, but you must wait for the ActiveX control to finish loading): Exploit Demo.

If everything went according to plan, and you have Medium or lower security set on your browser, you got a nice system alert that offered to "enable enhanced security for your system".

Do us a favor, and drag that dialog box around. If you didn't just wet your pants, you reacted better than I first did.

Chromeless windows can be made to obscure all sorts of things. Like putting a little gold lock in the browser's status bar, even if the site is not actually SSL-enabled. Or how about obscuring the site you are on, making you think you are on your bank's site, when instead you are on www.Hackers-R-Us.com.

The dangers of chromeless windows were first reported nearly 2 years ago by George Guninski. However, Microsoft considers the issue to be "low-risk", and it continues to be exploitable on out-of-the box installations of any OS containing Internet Explorer, including Win2k3.

UPDATE:  Read my recent update post regarding how this is being actively exploited in the wild by phishers: Phishers Are Getting Good.

Posted by Beau Monday on Saturday, January 31, 2004 11:02 PM

Feedback

# re: IE Chromeless Windows Vulnerability Demonstration 5/6/2004 4:19 PM wraith808

Hmmm... it apparently doesn't work in browsers that only use the IE engine. I'm assuming that since their IE 'window' is in a different place, the placement of the dialog is off. I clearly see the chromeless window in a separate location from the dialog.

# re: IE Chromeless Windows Vulnerability Demonstration 5/6/2004 4:27 PM wraith808

One way around this is to click on the title bar. The real dialog then comes to the top of the Z-order. But, this really shouldn't be necessary.

# re: IE Chromeless Windows Vulnerability Demonstration 5/7/2004 9:19 AM KCracker

This fails nicely if you have a 'download' utility (i.e. GetRight) running. In my case, it failed once because I was using Mozilla Firefox to browse to this site...then it failed again, because GetRight asked me where I wanted to save the file it was downloading for me. I love third party utilities. 8-)

# Chromeless Windows 5/7/2004 12:53 PM JD on MX

Chromeless windows: BugTraq had a discussion about a new type of IE/Win vulnerability, and the issue is synopsized here by Beau Monday. The Microsoft system offers the ability to create windows with borders, and because of the tight integration of...

# re: IE Chromeless Windows Vulnerability Demonstration 5/7/2004 4:56 PM Dalan Galma

Isn't this fixed in Windows XP SP2?

# re: IE Chromeless Windows Vulnerability Demonstration 5/8/2004 10:16 PM Branton

I just went to the exploit site with XPSP2 and this is what happened:

1.) IE didn't allow the site to install software on my computer
2.) I allowed IE to install ActiveX controls from the page and got the message: Windows has blocked this software because it can't verify the publisher.

So even if the publisher was verifiable, the user would have to take action in order to install the control. It isn't done automatically anymore.

# re: IE Chromeless Windows Vulnerability Demonstration 5/14/2004 8:34 PM Zach

Funny - I actually set up an ebay auction a few months ago doing something similiar - but way hard to notice than this - they did nothing of course :)

(and that was not an IE problem, that was an ebay problem - hell I will set it up again, just for the heck of it, on a regular page)

# re: IE Chromeless Windows Vulnerability Demonstration 5/14/2004 10:35 PM Zach

ok - this is not a browser problem - its a site by site problem - I have not looked at ebay in awhile and aint going to now - but a few months ago I did this in an auction there, using a different method (this one is direct - which is good enough, if they allow you write a script tag, a variable, and document.write - you can do this - even if they think they are blocking it - and their is much more clever ways than this to do the same thing)

http://sportsforum.ws/ebay/cgi.ebay.com/ws/eBayISAPI.dll%3fViewItem&category=27260&item=4130941755&rd=1

(page is the old page I brought in, so there is no resize or whatever I say at the top - last time I used a division, and an Iframe, this time I just put it in the page) - granted they are both on my server, but to see whats going on, what the flash is at the start, disable javascript and go to the page. Or view source - you wont find the page you are looking at in the source - except my two lines of javascript.

To carry this further - if the place allows just enough to get a foreign script call in - which anyplace that allows javascript in the description of an auction like ebay at least used to (again I have not verified in a couple months) - then if I am out to trick people, I would actually use maybe an image extension or something, hide it better, change mime types on my server, have it really loading a php, asp, or perl script, checking the domain that is their, checking the IP, and be targeting certain IPs that are more likely to be just grandma than someone I dont want to catch wind of what I am doing - could just target AOL, or other dial up services as the chances are that is not going to be anyone that is a threat - then I would not change the entire page, I would just capture the clicks on links, redirect them to open a popup up to the place they asked to go - if its paypal open up a real looking screen, with the toolbar imaged in, fake status bar, etc - if its ebay send them to a fake sign in screen, people are used to that enough they would just do it, and then which ever place, after I capture the username and password, I would actually send the submit to where its supposed to go, and no one would be the wiser.

Not to mention I would be able to control things on the page to start with, I dont know how much I could find out from ebay cookies - but if I was into that kind of thing it might be worth it just to sit there and silently harvest cookie info (which I could then send back to my server with out you ever realizing it)

# Chromeless Windows 5/17/2004 9:40 PM edBlog

# re: IE Chromeless Windows Vulnerability Demonstration 7/8/2004 6:06 PM Nate

I got a 404 "File not Found" error when I clicked the link.

# re: IE Chromeless Windows Vulnerability Demonstration 9/5/2004 1:35 PM Arcticblaze

heh. for somebody that hates Microsoft so much, you shure do use alot of their software there bmonday.com, its kinda funny that your a liar and a hypocryte!

# re: IE Chromeless Windows Vulnerability Demonstration 9/5/2004 1:54 PM Beau

ArcticBlaze wins the prize as the most ignorant poster to date.

Grats

# re: IE Chromeless Windows Vulnerability Demonstration 6/22/2006 5:34 AM terrified

My parents or wife would have simply clicked yes... this sort of thing terrifies me. I typically move windows around when they pop up like that, because they get in the way of whatever I'm actually attempting to read, but there are times... However, being someone that frequents hacker sites, I almost ALWAYS click the little [x] to close the window, because there are a LOT of popups that look identical to those windows, so when you click [no] you are instantly redirected to their site, or some advertisers site... think of how many times (and I'm sure we've ALL experienced it) you've heard "A little window popped up and said I had over 200 spyware programs on my computer, and so I clicked the little [clean] button." It's unfortunate that we live in a world where things like this are happening, and the average user is so moronic that they'd actually just happily click away!

# re: IE Chromeless Windows Vulnerability Demonstration 10/30/2006 6:48 AM Club Swingers

Very interesting. Thanks!

# re: IE Chromeless Windows Vulnerability Demonstration 1/28/2007 6:00 PM John

nice article, thank you!

# This is not nice 6/22/2007 5:45 PM The Coffeehouse

I guess Microsoft knows about this crack

# This is not nice 6/1/2008 7:50 PM The Coffeehouse

I guess Microsoft knows about this crack

# re: IE Chromeless Windows Vulnerability Demonstration 7/22/2008 5:37 AM Picture frames

I got a 404 "File not Found" error too when I clicked the link.

Post a new comment about this topic
Title  
Name  
Url

Comments   
Enter the code you see: