Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //
8/3/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

Researcher Finds Way to Bypass SOP Within Microsoft Edge Browser

For years, SOP has made sure that browsing stays safe by isolating different websites. Now, a researcher found a way around the protocol within Microsoft's Edge browser.

The Same Origin Policy (SOP) has been an implicit operational condition for browsers since 1995. It stops scripts contained in one web page from accessing data in a second web page unless the two sites have the same origin. An origin is defined as a combination of URI scheme (domain or subdomain), host name and port number.

Now, however, Netsparker security researcher Ziyahan Albeniz has found that older versions of Microsoft's Edge browser could be fooled into allowing this type of access from one web page to another.

Albeniz discovered that in the case of an HTML file sent via email and then run by Edge, the end result that SOP was supposed to forbid would happen. A local file could be read and exfiltrated from a target machine.

\r\n(Source: Flickr)\r\n

\r\n(Source: Flickr)\r\n

Of course, there is some social engineering involved in all of this. The user needs to download the HTML file in that poisoned email to start things off. HTML is not a usual file format transferred in this way, so the email will call attention to itself when it is encountered.

What actually happens if the email is opened is fairly simple. The HTML file is loaded by the file:// protocol when read from the email. Since it becomes a local file, there is no domain or port value associated with it.

The local file on the target machine will also not have a domain or port. So, in this case the ports on the two items match since both will have no port.

The hostname will also match. There is none in the file:// protocol. Finally, the protocol scheme between the two match. It’s file://.

So, SOP will present no objections to this intermingling.

The researcher felt that the Mail and Calendar app would sound the alarm if it was forced into executing a malicious HTML file. That didn't happen.

As Albeniz put it:

When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing [from the target machine —ed.] to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy!

This approach requires the attacker to know where the file desired is located, but there are routine locations used in many OS configurations.

So, while the approach may not serve well as a vehicle for the wide distribution of malware, a more specific approach designed for a high value target -- especially if it is used after some directory transversal recon malware has been first run on the target machine -- seems possible.

Albeniz writes that this vulnerability has already been fixed by Microsoft in both Edge and Mail and Calendars.

So, mitigation is straightforward. Use the latest versions of the programs, and don't open unknown HTML files in email. But be aware that this sort of attack is possible -- and deadly.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-40922
PUBLISHED: 2022-10-03
A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.
CVE-2022-38817
PUBLISHED: 2022-10-03
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
CVE-2022-40123
PUBLISHED: 2022-10-03
mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. This vulnerability allows authenticated attackers to read arbitrary files in the system.
CVE-2022-32173
PUBLISHED: 2022-10-03
In OrchardCore rc1-11259 to v1.2.2 vulnerable to HTML injection, allow an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard that will affect admin users.
CVE-2022-36551
PUBLISHED: 2022-10-03
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by default in these versions of Label Studio enabling ...