+------
 | Update 2004-01-05: You may read _much_ more in my newly published
 | book: "Innocent Code: A Security Wake-up Call for Web Programmers"
 |       http://innocentcode.thathost.com/
 +------




From: "Sverre H. Huseby" <shh@thathost.com>
Subject: Controlling MSIE sessions from Outlook
	 (related to Client Side Trojans)
Date: Mon, 5 Nov 2001 18:47:35 +0100
To: webappsec@securityfocus.com

I just got a reply to my recent "Client Side Trojans" text stating  
that mail clients typically run in different sessions from the web
browser, so it will be hard to send HTML formatted mail to control an
already authenticated web session.

If that't the general opinion, I wish to share some tests results with
you to show you that it is wrong.  I did some experimenting on Windows
2000 a while ago, using Oulook Express 5.50.4133.2400.  I started by
logging into my online bank using Microsoft Internet Explorer (with
HTTPS of course).  My goal was to send myself an HTML formatted mail
that would visit another page in the bank, using the already logged in
session.

Here are the results: (Note all URLs in question (marked with three
dots) are inside the bank, and normally require a logged in user.)

  Malicious content in mail:
    <script>document.location="..."</script>
  Success!  MSIE browser window that was already open changed to the
  new page within the bank without asking for reauthentication.

  Malicious content in mail:
    <iframe src="..." width="100%" frameborder="0">
  No success, the iframe appearently was not the same instance as the
  original bank window.

  Malicious content in mail:
    <script>window.open("...");</script>
  Success!  A new window opened with the same logged in user as I had
  in my original browser window.

  Malicious content in mail:
    <a href="...">Cool joke</a>
  Success! New page without reauthentication after following the link.
  The page was shown in the already open browser window.

These tests show that (for my particular setup) it would be perfectly
possible to pass Client Side Trojans in mail to control an
authenticated and encrypted session in a web browser.  I believe my
setup was not far from an original, out of the box installation.

Has anyone else done similar tests?  Possibly with other mail/web
clients?  Different results?  Different HTML approaches?  I would be
very happy to hear about it.


Sverre.