Hi Vladimir,<div>using my approach only files in the Cookies folder can be accessed, being them cookies or not.</div><div>You cannot escape that sandbox.</div><div>About IE9 I've tested it on the same version and it works, MS has confirmed the vuln by the way ;-)</div>
<div>About opening arbitrary files, pay attention to 2 issues:</div><div>1- one thing is displaying a file in a frame, a different thing is accessing them, that's why drag&drop is needed...have a look at my slides ;-)<br>
2- not any file, just files in the cookies folder</div><div><br></div><div>regards</div><div>Rosario</div><div><br><div class="gmail_quote">2011/5/25 Владимир Воронцов <span dir="ltr"><<a href="mailto:vladimir.vorontsov@onsec.ru">vladimir.vorontsov@onsec.ru</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Great work!<br>
<br>
Technique can be used to stealing any data.<br>
In example, content from remote iframes.<br>
And from any local file, i.e. browser cache, configs and other.<br>
<br>
But there is problem to open urls in file:// zone from http:// zone.<br>
Recently i founded Chrome vuln, which provide that.<br>
See <a href="https://docs.google.com/present/view?id=dcm4kmp7_18w8945rdw" target="_blank">https://docs.google.com/present/view?id=dcm4kmp7_18w8945rdw</a> slides<br>
20-23.<br>
<br>
In your work, you say about redirect in IE9, but it is didn't work for me<br>
(9.0.8112.16421).<br>
<br>
If it is possible to open file:// from http:// in IE9, then possible to<br>
stealing any local file without user actions :)<br>
<div><div></div><div class="h5"><br>
On Wed, 25 May 2011 00:17:21 +0200, Rosario Valotta<br>
<<a href="mailto:valotta.rosario@gmail.com">valotta.rosario@gmail.com</a>> wrote:<br>
> Hi,<br>
> last week, in two security conferences I showed a new attack technique<br>
> called Cookiejacking that allows to steal session cookies without any<br>
XSS<br>
> vulnerability.<br>
><br>
> <a href="https://www.swisscyberstorm.com/speakers/valotta" target="_blank">https://www.swisscyberstorm.com/speakers/valotta</a><br>
> <a href="http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388" target="_blank">http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388</a><br>
><br>
> All previous approaches on the same topic used at least an XSS or a Man<br>
in<br>
> the middle attack (eg Firesheep) to steal cookies.<br>
> In this approach I use a 0-day vulnerabilty affecting all versions of IE<br>
on<br>
> every Windows OS and an advanced Clickjacking attack in order to trick<br>
> users<br>
> in dragging & dropping their cookies.<br>
><br>
> You can steal any cookie (http only, secure cookies, whatever the<br>
website)<br>
> of every Win user!<br>
><br>
> If it is interesting, on my blog you can find a writeup and a couple of<br>
> videos.<br>
> <a href="https://sites.google.com/site/tentacoloviola/cookiejacking" target="_blank">https://sites.google.com/site/tentacoloviola/cookiejacking</a><br>
><br>
> Regards<br>
><br>
> Rosario Valotta<br>
<br>
</div></div><font color="#888888">--<br>
Best regards,<br>
Vladimir Vorontsov<br>
ONsec security expert<br>
<br>
</font></blockquote></div><br></div>