Code Execution via XSS in Internet Explorer

2008-11-24T00:00:00

Description

Hello 3APA3A! Recently I wrote about Code Execution via XSS attack (http://websecurity.com.ua/2635/). In this article I told about Code Execution attack via Cross-Site Scripting vulnerability in Internet Explorer (http://websecurity.com.ua/1241/), which I disclosed in August 2007. Last year and this year I found Cross-Site Scripting vulnerabilities in different browsers (IE, Chrome and Opera), which belong to Saved XSS type (http://websecurity.com.ua/2641/). And recently I created technique of conducting Code Execution attack via these XSS vulnerabilities. The attack works when web page was saved in IE at user's computer and then it was opened in IE. This technique can be used for bypassing of different proxies and firewalls, which analyze content of web pages for malicious code (because attacking code appears in the page already after saving). And also can be used for bypassing of antiviruses (for example, this nice attack http://milw0rm.com/exploits/5619 easily blocked by my Norton Antivirus, but my attack works very fine). Code Execution: http://site/?--><script>c=new/**/ActiveXObject('WScript.Shell');c.Run('calc.exe');</script> For making of hidden attack the iframe can be used: <iframe src="http://site/?--><script>c=new ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>" height="0" width="0"></iframe> This attack works in Internet Explorer when option “Initialize and script ActiveX control not marked as safe” (for Local intranet) is turned on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's method of bypassing of the bug. This setting is needed only during attack via this XSS, when JS code placed on the same line, where there is a comment. Because if it's on other line (i.e. without preceding comment), then code will work and without this setting (Disable). That can be achieved in case, when attack made not via XSS, but the attack code is placed (in appropriate way) directly in body of page. Vulnerable is version Internet Explorer 6 (6.0.2900.2180) and previous versions. And Internet Explorer 7 (7.0.6000.16711) and previous versions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

{"id": "SECURITYVULNS:DOC:20911", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "Code Execution via XSS in Internet Explorer", "description": "Hello 3APA3A!\r\n\r\nRecently I wrote about Code Execution via XSS attack\r\n(http://websecurity.com.ua/2635/).\r\n\r\nIn this article I told about Code Execution attack via Cross-Site\r\nScripting vulnerability in Internet Explorer\r\n(http://websecurity.com.ua/1241/), which I disclosed in August 2007.\r\n\r\nLast year and this year I found Cross-Site Scripting vulnerabilities in\r\ndifferent browsers (IE, Chrome and Opera), which belong to Saved XSS type\r\n(http://websecurity.com.ua/2641/). And recently I created technique of\r\nconducting Code Execution attack via these XSS vulnerabilities.\r\n\r\nThe attack works when web page was saved in IE at user's computer and\r\nthen it was opened in IE. This technique can be used for bypassing of\r\ndifferent proxies and firewalls, which analyze content of web pages for\r\nmalicious code (because attacking code appears in the page already after\r\nsaving). And also can be used for bypassing of antiviruses (for example,\r\nthis nice attack http://milw0rm.com/exploits/5619 easily blocked by my\r\nNorton Antivirus, but my attack works very fine).\r\n\r\nCode Execution:\r\n\r\nhttp://site/?--><script>c=new/**/ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>\r\n\r\nFor making of hidden attack the iframe can be used:\r\n\r\n<iframe src="http://site/?--><script>c=new\r\nActiveXObject('WScript.Shell');c.Run('calc.exe');</script>" height="0"\r\nwidth="0"></iframe>\r\n\r\nThis attack works in Internet Explorer when option \u201cInitialize and\r\nscript ActiveX control not marked as safe\u201d (for Local intranet) is turned\r\non (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's\r\nmethod of bypassing of the bug. This setting is needed only during attack\r\nvia this XSS, when JS code placed on the same line, where there is a\r\ncomment. Because if it's on other line (i.e. without preceding comment),\r\nthen code will work and without this setting (Disable). That can be\r\nachieved in case, when attack made not via XSS, but the attack code is\r\nplaced (in appropriate way) directly in body of page.\r\n\r\nVulnerable is version Internet Explorer 6 (6.0.2900.2180) and previous\r\nversions. And Internet Explorer 7 (7.0.6000.16711) and previous versions. \r\n\r\nBest wishes & regards,\r\nMustLive\r\nAdministrator of Websecurity web site\r\nhttp://websecurity.com.ua", "published": "2008-11-24T00:00:00", "modified": "2008-11-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20911", "reporter": "Securityvulns", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-08-31T11:10:28", "viewCount": 118, "enchantments": {"score": {"value": 2.0, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8081"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 2.0}, "_state": {"dependencies": 1678962117, "score": 1684016453, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "baf318970f04251783143ba25fa7842c"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}