Code Execution via XSS in Internet Explorer

2008-11-24T00:00:00
ID SECURITYVULNS:DOC:20911
Type securityvulns
Reporter Securityvulns
Modified 2008-11-24T00:00:00

Description

Hello 3APA3A!

Recently I wrote about Code Execution via XSS attack (http://websecurity.com.ua/2635/).

In this article I told about Code Execution attack via Cross-Site Scripting vulnerability in Internet Explorer (http://websecurity.com.ua/1241/), which I disclosed in August 2007.

Last year and this year I found Cross-Site Scripting vulnerabilities in different browsers (IE, Chrome and Opera), which belong to Saved XSS type (http://websecurity.com.ua/2641/). And recently I created technique of conducting Code Execution attack via these XSS vulnerabilities.

The attack works when web page was saved in IE at user's computer and then it was opened in IE. This technique can be used for bypassing of different proxies and firewalls, which analyze content of web pages for malicious code (because attacking code appears in the page already after saving). And also can be used for bypassing of antiviruses (for example, this nice attack http://milw0rm.com/exploits/5619 easily blocked by my Norton Antivirus, but my attack works very fine).

Code Execution:

http://site/?--><script>c=new/**/ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>

For making of hidden attack the iframe can be used:

<iframe src="http://site/?--><script>c=new ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>" height="0" width="0"></iframe>

This attack works in Internet Explorer when option “Initialize and script ActiveX control not marked as safe” (for Local intranet) is turned on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's method of bypassing of the bug. This setting is needed only during attack via this XSS, when JS code placed on the same line, where there is a comment. Because if it's on other line (i.e. without preceding comment), then code will work and without this setting (Disable). That can be achieved in case, when attack made not via XSS, but the attack code is placed (in appropriate way) directly in body of page.

Vulnerable is version Internet Explorer 6 (6.0.2900.2180) and previous versions. And Internet Explorer 7 (7.0.6000.16711) and previous versions.

Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua