Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VBScript - MSXML Execution Policy Bypass Exploit

🗓️ 22 Dec 2018 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 67 Views

VBScript MSXML Execution Policy Bypass Exploi

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2018-8619
12 Dec 201800:29
attackerkb
BDU FSTEC		The vulnerability in Internet Explorer, caused by an operation that goes beyond the buffer boundaries in memory, allows a malicious actor to execute arbitrary code with the privileges of the current user.
28 Dec 201800:00
bdu_fstec
Circl		CVE-2018-8619
20 Dec 201800:00
circl
CNVD		Microsoft Internet Explorer VBScript Engine Remote Memory Corruption Vulnerability (CNVD-2019-39018)
12 Dec 201800:00
cnvd
Check Point Advisories		Microsoft Internet Explorer Remote Code Execution (CVE-2018-8619)
11 Dec 201800:00
checkpoint_advisories
CVE		CVE-2018-8619
12 Dec 201800:00
cve
Cvelist		CVE-2018-8619
12 Dec 201800:00
cvelist
Microsoft KB		Internet Explorer help
11 Dec 201808:00
mskb
Microsoft KB		December 11, 2018—KB4471318 (Monthly Rollup)
11 Dec 201808:00
mskb
Microsoft KB		December 11, 2018—KB4471320 (Monthly Rollup)
11 Dec 201808:00
mskb
Rows per page
According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.

However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.

To demonstrate, place the files in the attached archive on a web server in the Internet zone and open index.html. If successful, the text "Hello from VBscript" will be rendered on the page. If you look at the provided code, this text is assembled dynamically by VBScript.

This has been tested on Windows 10 Version 1803 with the latest patches applied and VBScript execution policy applied for the Internet Zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140C = 3).


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46023.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Dec 2018 00:00Current
CVSS 37.5
CVSS 27.6
EPSS0.61268
vbscriptmsxmlexecution policybypassexploitinternet explorerwindows 10updatesecuritypatchesproof of conceptgithub
67