An attacker is able to cause a victim to load content into their
web-browser that bypasses security zone controls and gain access to
increased privileges to execute scripting code or other web objects such as
unsigned ActiveX controls or applets. This is a privilege elevation attack
targeted at zone-based web-browser security. In a zone-based model, pages
belong to one of a set of zones corresponding to the level of privilege
assigned to that page. Pages in an untrusted zone would have a lesser level
of access to the system and/or be restricted in the types of executable
content it was allowed to invoke. In a cross-zone scripting attack, a page
that should be assigned to a less privileged zone is granted the privileges
of a more trusted zone. This can be accomplished by exploiting bugs in the
browser, exploiting incorrect configuration in the zone controls, through a
cross-site scripting attack that causes the attacker's content to be treated
as coming from a more trusted page, or by leveraging some piece of system
functionality that is accessible from both the trusted and less trusted
zone. This attack differs from "Restful Privilege Escalation" in that the
latter correlates to the inadequate securing of RESTful access methods (such
as HTTP DELETE) on the server, while cross-zone scripting attacks the
concept of security zones as implemented by a browser.
Attack Execution Flow
Explore
Find systems susceptible to the
attack:
Find systems that contain functionality that is
accessed from both the internet zone and the local
zone. There needs to be a way to supply input to
that functionality from the internet zone and that
original input needs to be used later on a page from
a local zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Leverage knowledge of common local zone
functionality on targeted platforms to guide
attempted injection of code through relevant
internet zone mechanisms. In some cases this may
be due to standard system configurations enabling
shared functionality between internet and local
zones. The attacker can search for indicators that
these standard configurations are in place.
env-Web
Security Controls
ID
Type
Security Control Description
1
Preventative
Ensure standard system
configurations do not enable shared functionality
between internet and local
zones
Experiment
Find the insertion point for the
payload:
The attacker first needs to find some system
functionality or possibly another weakness in the
system (e.g. susceptibility to cross site scripting)
that would provide the attacker with a mechanism to
deliver the payload (i.e.the code to be executed) to
the user. The location from which this code is
executed in the user's browser needs to be within
the local machine zone.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Finding weaknesses in functionality used by
both privileged and unprivileged users.
env-Web
Exploit
Craft and inject the
payload:
Develop the payload to be executed in the higher
privilged zone in the user's browser. Inject the
payload and attempt to lure the victim (if possible)
into executing the functionality which unleashes the
payload.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker makes it as likely as possible
that the vulnerable functionality into which he
has injected the payload has a high likelihood of
being used by the victim.
env-Web
2
Leverage cross-site scripting vulnerability
to inject payload.
env-Web
Attack Prerequisites
The target must be using a zone-aware browser.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Analysis
Injection
Examples-Instances
Description
There was a cross zone scripting vulnerability discovered in Skype
that allowed one user to upload a video with a maliciously crafted title
that contains a script. Subsequently, when the victim attempts to use
the "add video to chat" feature on attacker's video, the script embedded
in the title of the video runs with local zone privileges. Skype is
using IE web controls to render internal and external HTML pages. "Add
video to chat" uses these web controls and they are running in the Local
Zone. Any user who searched for the video in Skype with the same
keywords as in the title field, would have the attacker's code executing
in their browser with local zone privileges to their host machine (e.g.
applications on the victim's host system could be executed).
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Ability to craft malicious scripts or find them elsewhere and ability
to identify functionality that is running web controls in the local zone
and to find an injection vector into that functionality
Resources Required
No specialized equipment is needed
Solutions and Mitigations
Disable script execution.
Ensure that sufficient input validation is performed for any potentially
untrusted data before it is used in any privileged context or zone
Limit the flow of untrusted data into the privileged areas of the system
that run in the higher trust zone
Limit the sites that are being added to the local machine zone and
restrict the privileges of the code running in that zone to the bare
minimum
Ensure proper HTML output encoding before writing user supplied data to
the page
Description
