This article needs additional citations for verification. (October 2010)
Cross-zone scripting is a browser exploit taking advantage of a vulnerability within a zone-based security solution. The attack allows content (scripts) in unprivileged zones to be executed with the permissions of a privileged zone - i.e. a privilege escalation within the client (web browser) executing the script. The vulnerability could be:
- a web browser bug which under some conditions allows content (scripts) in one zone to be executed with the permissions of a higher privileged zone.
- a web browser configuration error; unsafe sites listed in privileged zones.
- a cross-site scripting vulnerability within a privileged zone
A common attack scenario involves two steps. The first step is to use a cross-zone scripting vulnerability to get scripts executed within a privileged zone. To complete the attack, then perform malicious actions on the computer using insecure ActiveX components.
Origins of the zone concept
There are four well known zones in Internet Explorer:
- Internet. The default zone. Everything which does not belong to other zones.
- Local intranet.
- Trusted sites. Usually used to list trusted sites which are allowed to execute with minimal security permissions (e.g. run unsafe and unsigned ActiveX objects).
- Restricted sites.
These zones are explained in detail by "How to use security zones in Internet Explorer".
There is also an additional hidden zone:
- Local Computer zone (or My Computer zone). This zone is particularly interesting because it can access files on the local computer. Historically this zone has been extremely insecure, but in recent versions Internet Explorer (for Windows XP) steps have been taken to reduce risks associated with zone.
Local intranet, Trusted sites and Local Computer are usually configured to be privileged zones. Most cross-zone scripting attacks are designed to jump from Internet zone to a privileged zone.
Into the local computer zone
This type of exploit attempts to execute code in the security context of Local Computer Zone.
The following HTML is used to illustrate a naive (non-working) attempt of exploitation:
<!DOCTYPE html> <html> <body> <img src="attack.gif"> <script src="file://C:\Documents and Settings\Administrator\ Local Settings\Temporary Internet Files\attack.gif"> </body> </html>
Explanation: the HTML code attempts to get attack.gif loaded into the cache by using an IMG SRC reference. Then a SCRIPT SRC tag is used to attempt executing the script from the Local Computer Zone by addressing the local file in cache.
Into the local intranet zone
Consider this scenario:
- an attacker could (somehow) know of a cross-site scripting vulnerability in on
- a lot of
http://intranet.example.comusers regularly visit
http://www.example.com/, where anyone can add Cool links.
- Attacker adds a Cool link to:
A computer which considers intranet.example.com a part of Local Intranet zone will now successfully be cross zone scripted.
Into the trusted sites zone
executed with "Trusted Sites" permission if windowsupdate.microsoft.com was listed as a trusted site.
- Secunia SA11830 Internet Explorer Security Zone Bypass and Address Bar Spoofing An vulnerability in (Internet Explorer) reported by bitlance winter which allows cross-zone scripting into Trusted Sites)