Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20911
HistoryNov 24, 2008 - 12:00 a.m.

Code Execution via XSS in Internet Explorer

2008-11-2400:00:00
vulners.com
134

Hello 3APA3A!

Recently I wrote about Code Execution via XSS attack
(http://websecurity.com.ua/2635/).

In this article I told about Code Execution attack via Cross-Site
Scripting vulnerability in Internet Explorer
(http://websecurity.com.ua/1241/), which I disclosed in August 2007.

Last year and this year I found Cross-Site Scripting vulnerabilities in
different browsers (IE, Chrome and Opera), which belong to Saved XSS type
(http://websecurity.com.ua/2641/). And recently I created technique of
conducting Code Execution attack via these XSS vulnerabilities.

The attack works when web page was saved in IE at user's computer and
then it was opened in IE. This technique can be used for bypassing of
different proxies and firewalls, which analyze content of web pages for
malicious code (because attacking code appears in the page already after
saving). And also can be used for bypassing of antiviruses (for example,
this nice attack http://milw0rm.com/exploits/5619 easily blocked by my
Norton Antivirus, but my attack works very fine).

Code Execution:

http://site/?--><script>c=new/**/ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>

For making of hidden attack the iframe can be used:

<iframe src="http://site/?--&gt;&lt;script&gt;c=new
ActiveXObject('WScript.Shell');c.Run('calc.exe');</script>" height="0"
width="0"></iframe>

This attack works in Internet Explorer when option โ€œInitialize and
script ActiveX control not marked as safeโ€ (for Local intranet) is turned
on (Enabled or Prompt). It's such bug in hole of Microsoft :-) and it's
method of bypassing of the bug. This setting is needed only during attack
via this XSS, when JS code placed on the same line, where there is a
comment. Because if it's on other line (i.e. without preceding comment),
then code will work and without this setting (Disable). That can be
achieved in case, when attack made not via XSS, but the attack code is
placed (in appropriate way) directly in body of page.

Vulnerable is version Internet Explorer 6 (6.0.2900.2180) and previous
versions. And Internet Explorer 7 (7.0.6000.16711) and previous versions.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua