Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/3/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Researcher Finds Way to Bypass SOP Within Microsoft Edge Browser

For years, SOP has made sure that browsing stays safe by isolating different websites. Now, a researcher found a way around the protocol within Microsoft's Edge browser.

The Same Origin Policy (SOP) has been an implicit operational condition for browsers since 1995. It stops scripts contained in one web page from accessing data in a second web page unless the two sites have the same origin. An origin is defined as a combination of URI scheme (domain or subdomain), host name and port number.

Now, however, Netsparker security researcher Ziyahan Albeniz has found that older versions of Microsoft's Edge browser could be fooled into allowing this type of access from one web page to another.

Albeniz discovered that in the case of an HTML file sent via email and then run by Edge, the end result that SOP was supposed to forbid would happen. A local file could be read and exfiltrated from a target machine.

Of course, there is some social engineering involved in all of this. The user needs to download the HTML file in that poisoned email to start things off. HTML is not a usual file format transferred in this way, so the email will call attention to itself when it is encountered.

What actually happens if the email is opened is fairly simple. The HTML file is loaded by the file:// protocol when read from the email. Since it becomes a local file, there is no domain or port value associated with it.

The local file on the target machine will also not have a domain or port. So, in this case the ports on the two items match since both will have no port.

The hostname will also match. There is none in the file:// protocol. Finally, the protocol scheme between the two match. It’s file://.

So, SOP will present no objections to this intermingling.

The researcher felt that the Mail and Calendar app would sound the alarm if it was forced into executing a malicious HTML file. That didn't happen.

As Albeniz put it:

When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing [from the target machine —ed.] to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy!

This approach requires the attacker to know where the file desired is located, but there are routine locations used in many OS configurations.

So, while the approach may not serve well as a vehicle for the wide distribution of malware, a more specific approach designed for a high value target -- especially if it is used after some directory transversal recon malware has been first run on the target machine -- seems possible.

Albeniz writes that this vulnerability has already been fixed by Microsoft in both Edge and Mail and Calendars.

So, mitigation is straightforward. Use the latest versions of the programs, and don't open unknown HTML files in email. But be aware that this sort of attack is possible -- and deadly.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.