This post explains how to abuse Internet Explorer’s Local Intranet Zone using malicious web pages served from the local disk. In corporate environments this could lead to impersonation of the victim on internal web applications and exfiltration of data outside the corporate network.
Internet Explorer renders web pages in Security Zones; each zone comes with security settings that reflect the level of safety of that zone.
When Internet Explorer opens a web page, the Urlmon DLL determines the zone from which the page was loaded. There are four predefined security zones:
Local intranet zone: all sites inside an organisation.
Trusted sites zone: all sites considered trusted.
Restricted sites zone: all sites considered not trusted.
Internet zone: all Internet sites (not in the Trusted or Restricted zones)
In addition to the above four zones, the hidden My Computer zone includes all files served from network shares, the local hard disk and removable drives.
Cross-Site Request Forgery (CSRF) is an attack that abuses the inherent trust a web server places in the browser. Generally, any request within an authenticated session is assumed to be made, directly or indirectly, by the user. The attack described below can be considered a variation of Cross-Site Request Forgery where the attacker can also read the response. Instead of coercing the user to visit a malicious Internet website, the attacker sends an email with a malicious HTML page attached; when the victim opens this page with Internet Explorer it is loaded from the local file system and Internet Exploror (IE) renders it in the My Computer security zone. This zone allows scripts to issue requests to any website bypassing both the Same Origin Policy (SOP) and Cross-Origin Request Sharing (CORS).
A simple demo web application was built as a Proof-of-Concept. The application is served from the Local Intranet Zone domain www.corporate.internal as shown in the screenshot below:
Monet HR is a web application used for HR purposes, it allows employees to view and manage their personal data such as personal and employment information, compensation, holidays, etc.
The demo application exposes a single Servlet to authenticated users:
The servlet allows the user to perform two actions:
getCSRF (retrieves the CSRF token associated with user’s session)
getInfos (retrieves user’s information, it requires a CSRF token)
The target web application is served from the Local Intranet Zone.
Protected mode is turned OFF for Local Intranet Zone (default).
The victim is authenticated on the target web application.
The victim receives an email with a web page attached.
The victim opens the web page with Internet Explorer.
The victim clicks on “Allow Blocked Content” button.
(only for demo purposes) The victim clicks on “Steal Infos”, this triggers the malicious script.
The page served from the local file disk is rendered in the My Computer Zone, and can therefore bypass the Same Origin Policy and Cross Origin Resource Sharing. It can send requests to any application in the Local Intranet Zone, and cookies will be included in the request.
- The malicious page then exfiltrates the stolen data to a third party website (lrfpoc.herokuapp.com) using a POST request with content type application/json (thus still in violation Cross-Origin Resource Sharing) and can read the response to that request as well (still violating SOP).
The above explanation can be referenced in the screenshot below where request and responses are printed in the DOM.
The attacker can then view the exfiltrated data on a domain outside of the corporate network:
As this is a client-side issue, the only effective mitigation is to ensure that Internet Explorer enforces SOP and CORS by enabling Protected Mode for the Local Intranet Zone. Since Internet Explorer 7.0 on Windows Vista, this can be achieved through Group Policy Objects (GPO).