The localhosed attack (stealing IE localhost cookies)

amit — Sun, 21 Jun 2015 18:40:09 +0000

This extended advisory describes a vulnerability in Microsoft Internet Explorer 11/10/9/8/7 (on Windows Vista and above). The vulnerability allows stealing cookies for local machine domains/IP addresses. Additionally, the local IP address used by IE to communicate to the Internet is exposed (even if behind a NAT or a SOCKS proxy). On Windows XP, IE 8-6 are vulnerable to the IP exposure vulnerability only.

Having an HTTP (web) server listening locally on a Windows machine is not too rare, due to a multitude of software installations that do just that, e.g. for administration/control panel. Googling for e.g. Windows “http://localhost” yields almost 1 million hits. There’s no need to name names, but it suffices to say that there are major players from many software types, from virtual machines, to analytics, and of course content management systems.

Of course, such setup may be susceptible to a plain and simple CSRF attack. However, stealing the cookies has several advantages over CSRF:

If the server employs anti-CSRF code, having the session cookies (in combination with DNS rebinding) can, in some cases (depending on the exact nature of the anti-CSRF technique) work around this protection.
Session cookies (in combination with DNS rebinding) can enable reading data off sensitive pages.
Cookies may contain sensitive information in and out of themselves.

The attack method can only steal cookies sent with HTTP requests (not HTTPS). Fortunately for the attacker, a web server bound to a local address is unlikely to use SSL.

As for local IP address disclosure, this can be used to map an organization behind a NAT, or as a SOCKS proxy piercing (i.e. exposing the real IP address of a client “hiding” behind a SOCKS proxy).

The impact of the cookie stealing attacks is summarized in the below table:

	New window	Frame	Self navigation
Browser affected	All IE versions on Windows Vista and above	All IE versions on Windows Vista and above	IE11
User interaction?	Yes (one click)	No	No
Host scope	Internet, Local Intranet	Internet	Local Intranet
Cookie type	persistent, session	session (and any cookies assigned with P3P acceptable compact policy)	persistent, session
UAC mode supported	(all)	(all – if UAC is off, the scope can also cover Local Intranet, and there, persistent cookies can be stolen as well)	On (default)
SmartScreen mode supported	Medium (default) or below	(all)	(all)

Full details here.

Amit Klein's security corner - 127.0.0.1

The localhosed attack (stealing IE localhost cookies)

Tags: