Cross Zone Scripting
Attack Pattern ID: 104 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attacker's content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.

Attack Execution Flow

Explore
  1. Find systems susceptible to the attack:

    Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

    env-Web

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Ensure standard system configurations do not enable shared functionality between internet and local zones
Experiment
  1. Find the insertion point for the payload:

    The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e.the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Finding weaknesses in functionality used by both privileged and unprivileged users.

    env-Web
Exploit
  1. Craft and inject the payload:

    Develop the payload to be executed in the higher privilged zone in the user's browser. SecurityDatabase\Alert\Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker makes it as likely as possible that the vulnerable functionality into which he has injected the payload has a high likelihood of being used by the victim.

    env-Web
    2

    Leverage cross-site scripting vulnerability to inject payload.

    env-Web
+ Attack Prerequisites

The target must be using a zone-aware browser.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Analysis
  • Injection
+ Examples-Instances

Description

There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the "add video to chat" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. "Add video to chat" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attacker's code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed).

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality

+ Resources Required

No specialized equipment is needed

+ Solutions and Mitigations

Disable script execution.

Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone

Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone

Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum

Ensure proper HTML output encoding before writing user supplied data to the page

+ Attack Motivation-Consequences
  • Data Modification
  • Information Leakage
  • Privilege Escalation
  • Run Arbitrary Code
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
250Execution with Unnecessary PrivilegesTargeted
638Failure to Use Complete MediationTargeted
285Improper Access Control (Authorization)Targeted
116Improper Encoding or Escaping of OutputSecondary
20Improper Input ValidationSecondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory233Privilege Escalation 
Mechanism of Attack (primary)1000
+ Related Security Principles
  • Enforce least privilege

  • Reluctance to trust

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content