ITN News Gadget - Script Injection Vulnerability
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.
The ITN News Sidebar gadget provides users with the ability to view the latest world, money, sports, showbiz and weather news. Allowing users to read and watch videos news on the flyout panel. These information is requested by the ITN News gadget from a web server, which responds to the gadget with the latest news stories. An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user.
The following script could be injected in a “short_title” section of the response returned by the web server:-
<![CDATA[<script SRC='vbscript:System.Shell.execute("cmd.exe", "/k ipconfig")'>]]>In this case this would result in the “ipconfig” command being executed on the user’s system.
An attacker could alter this code to execute commands of their choosing which, depending on the logged on user’s privileges, could result in the remote compromise of the target system.
It should be noted that for this attack to be exploited an attacker would need to be able to intercept and modify network traffic between the remote web server supplying the information and the targeted user.
ITN News gadget version 1.06 was confirmed to be affected to this vulnerability. The vendor has addressed this issue and implemented a fix in version 1.23.
The full security advisory can be found here:- [1][2]
The whitepaper Considerations for the Secure Rollout of Sidebar Gadgets on Windows Vista is a recommended reading if you are interested in the security of gadgets.
