Morning Coffee with pdp: Hacking IE
It is early in the morning and for some weird reason I couldn’t sleep well last night, so I decided to have a play with Microsoft Internet Explorer; after all, IE deserves some attention as well. I have no reason to investigate Internet Explorer for any particular vulnerabilities. However, cup of coffee and my fly laptop make a perfect start for a day which usually is occupied with non-computer stuff.
I prepared myself a large cup of coffee. It took me around 2 minutes to get the water boiling. I set on the table and started checking my Google Reader for what has happened while I was on idle. This application is essential for my Saturday morning coffee breaks: it acts like a news paper or something.
After going through the morning routine, I decided to visit GMail. Yesterday, I stored some cool tracks with the favourite GSpace Firefox extension. I opened label GSpace and clicked on the first item that caught my eye. Play! Cool! When the first track finished I thought that it is a good idea to have some sort of Greasemonkey script for creating GMail Media Playlist so I don’t have to go back and forward between different emails… but hey it was too early in the morning and hacking IE was looking a lot more interesting then codding with JavaScript.
It took me very little to get going. I’ve done a lot of IE bug hunts in the past so I knew how to proceed, moreover, I knew that I will find something even if it is the most stupid and useless thing ever found. Vulnerability research is all about having the right mindset. If you believe that you can find something, then you certainly will. At least, this is how it works me.
Since I was doing something very random, I decide to use something random as a starting point. I went to Google and typed something about IE and MSDN, I don’t remember quite well what it was. Clicked on “I’m Feeling Lucky”. Nope, that was not what I was looking for. I went back and refined my search. This time I was on the right place. The page was about some stuff related to Internet Explorer Media Bar. I have never heard of this although I though that it could be something related to integrating Media Player with IE. I started browsing around this area and then I stumbled upon something I though it might be interesting to play with.
This thing is known as IE behaviour. I’ve played with behaviours before and I knew what they are, so I starting build a plan. The first thing to do was to set up my own web server where I will perform the tests. Why is that? In generally it is not a good idea to test web related stuff from your desktop. HTML pages from the desktop have higher permissions then pages from the web. The testing environment was running with a single click from the left mouse button. WAMP started and loaded all that I need.
WAMP is not exactly the best tool you can use for stuff like this. I think that POW is a lot better since you can get feedback right on your browser. I will try to integrate that in my infinite free time :).
Back to WAMP, I created a test folder and started placing test files inside like crazy. GVIM was opened in one side of the screen, IE was on the other. When I made a change, I need to switch to IE and refresh just to see what happened. If you use WAMP with default configuration, you may need to press F5 a couple of times because the page is most probably cached. I have disabled cache control on the server and the client so a single refresh gets me what I want without too much of a hustle.
20 minutes latter and a dozen of files inside the testing folder I was near completing my morning exercise. I was half a way through my coffee, which was almost cold by that time. It was about time to leave the computer and go have some life. I found something which is not that serious but it could be used in many different ways to compromise the user local system. I give a detail description about the problem over here.
My morning coffee hacking was over. BTW, there are a bunch of unverified issues which I will disclose as soon as I get some stuff off my head.
