Document Title: =============== Internet Explorer 9.10 - XSS Protection Filter Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=729 Release Date: ============= 2012-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 729 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== Windows Internet Explorer 9 (IE9) is a version of the Internet Explorer web browser from Microsoft. It was released to the public on March 14, 2011. Microsoft has released Internet Explorer 9 as a major out-of-band version that is not tied to the release schedule of any particular version of Windows, unlike previous versions. It is the first version since Internet Explorer 2 to not be bundled with a Windows operating system, although some OEMs have preinstalled it with Windows 7 on their PCs, as well as new Windows 7 laptops. The system requirements for Internet Explorer 9 are Windows 7, Windows Server 2008 R2, Windows Vista Service Pack 2 or Windows Server 2008 SP2 with the Platform Update. Windows XP and earlier are not supported. Internet Explorer 9 is the last version of Internet Explorer to be supported on Windows Vista; Internet Explorer 10 will only be supported on Windows 7 and later (up to Platform Preview 2), but Platform Preview 3 and above works only with Windows 8. Both IA-32 and x64 builds are available. Internet Explorer 9 supports several CSS 3 properties, embedded ICC v2 or v4 color profiles support via Windows Color System, and has improved JavaScript performance. It is the last of the five major web browsers to implement support for Scalable Vector Graphics (SVG). It also features hardware-accelerated graphics rendering using Direct2D, hardware-accelerated text rendering using DirectWrite, hardware-accelerated video rendering using Media Foundation, imaging support provided by Windows Imaging Component, and high fidelity printing powered by the XML Paper Specification (XPS) print pipeline. Internet Explorer 9 also supports the HTML5 video and audio tags and the Web Open Font Format. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Internet_Explorer_9 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple XSS Protection Filter Bypass Vulnerabilities in Microsoft Internet Explorer v9.10. Vulnerability Disclosure Timeline: ================================== 2012-10-21: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Microsoft Corp. Product: Internet Explorer (Web Browser) 9.0.10 (KB2744842) Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ 1.1 - Shift 1 Position to Bypass A xss protection filter bypass vulnerability is detected in the Microsofts official Internet Explorer v9.0.8112.16421 Web Browser. The vulnerability allows an remote attacker to bypass the xss protection mechanism of the internet explorer v9.x web browser to execute client-side or server-side script codes. The second xss protection filter bypass vulnerability is located in a shift 1 Position misconfiguration in the filter which leads to a bypass. Remote Attackers can insert multiple frame and onload alert strings in a get request to shift the position (replace) of the parse in the tag itself. The potential attacker can shift the position of the parsed tag when refreshing by one position since the parsed content is outside of the requested script code context. Remote attackers can bypass the xss filter parse and replace function of the internet explorer 9 to perform xss requests on client- & server-side. Successful exploitation of the web browser vulnerability results in (client- or server-side) cross site scripting and unauthorized script code execution via protection filter bypass. Vulnerable Module(s): [+] XSS & Script Code Protection Filter Vulnerable Function(s): [+] Shift 1 Position - Parse Function 1.2 Strings to Bypass - (Random) A xss protection filter bypass vulnerability is detected in the Microsofts official Internet Explorer v9.0.8112.16421 Web Browser. The vulnerability allows an remote attacker to bypass the xss protection mechanism of the internet explorer v9.x web browser to execute client-side or server-side script codes. After some research around the filter function, we located some nice strings to bypass the xss protection filter of the internet explorer v9.x brower. The not recognized detected strings were performed with the datasrc class, xml tags or a requesting java-script with div tag and bound link. Remote attackers can bypass the xss filter parse and replace function of the internet explorer 9 to perform xss requests on client- & server-side. Successful exploitation of the web browser vulnerability results in (client- or server-side) cross site scripting and unauthorized script code execution via protection filter bypass. Vulnerable Module(s): [+] XSS & Script Code Protection Filter Vulnerable String(s): [+] XML [+] DATASRC [+] js>div]style="width: expression(document.cookie=true;);"> String: ">