The localhosed attack (stealing IE localhost cookies)

This extended advisory describes a vulnerability in Microsoft Internet Explorer 11/10/9/8/7 (on Windows Vista and above). The vulnerability allows stealing cookies for local machine domains/IP addresses. Additionally, the local IP address used by IE to communicate to the Internet is exposed (even if behind a NAT or a SOCKS proxy). On Windows XP, IE 8-6 are vulnerable to the IP exposure vulnerability only.

Having an HTTP (web) server listening locally on a Windows machine is not too rare, due to a multitude of software installations that do just that, e.g. for administration/control panel. Googling for e.g. Windows “ht​tp://localhost” yields almost 1 million hits. There’s no need to name names, but it suffices to say that there are major players from many software types, from virtual machines, to analytics, and of course content management systems.

Of course, such setup may be susceptible to a plain and simple CSRF attack. However, stealing the cookies has several advantages over CSRF:

  1. If the server employs anti-CSRF code, having the session cookies (in combination with DNS rebinding) can, in some cases (depending on the exact nature of the anti-CSRF technique) work around this protection.
  2. Session cookies (in combination with DNS rebinding) can enable reading data off sensitive pages.
  3. Cookies may contain sensitive information in and out of themselves.

The attack method can only steal cookies sent with HTTP requests (not HTTPS). Fortunately for the attacker, a web server bound to a local address is unlikely to use SSL.

As for local IP address disclosure, this can be used to map an organization behind a NAT, or as a SOCKS proxy piercing (i.e. exposing the real IP address of a client “hiding” behind a SOCKS proxy).

The impact of the cookie stealing attacks is summarized in the below table:

 

New window

Frame

Self navigation

Browser affected

All IE versions on Windows Vista and above

All IE versions on Windows Vista and above

IE11

User interaction?

Yes (one click)

No

No

Host scope

Internet, Local Intranet

Internet

Local Intranet

Cookie type

persistent, session

session (and any cookies assigned with P3P acceptable compact policy)

persistent, session

UAC mode supported

(all)

(all – if UAC is off, the scope can also cover Local Intranet, and there, persistent cookies can be stolen as well)

On (default)

SmartScreen mode supported

Medium (default) or below

(all)

(all)

 

Full details here.