Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20941
HistoryDec 03, 2008 - 12:00 a.m.

Cross-browser Code Execution via XSS

2008-12-0300:00:00
vulners.com
106

Hello 3APA3A!

Recently I wrote about cross-browser Code Execution via XSS attack (http://websecurity.com.ua/2638/). Earlier I wrote you about Code Execution via XSS in Internet Explorer (http://securityvulns.ru/Udocument911.html).

In this article I told about Code Execution attack via IE via Cross-Site Scripting vulnerability in Opera (http://websecurity.com.ua/2555/), which I disclosed in October 2008.

The attack works when web page was saved in Opera as Web Archive file with name .htm (.html) at user's computer and then it was opened in IE. This technique can be used for bypassing of different proxies and firewalls, which analyze content of web pages for malicious code (because attacking code appears in the page already after saving). And also can be used for bypassing of antiviruses.

Code Execution:

http://site/?--%3E%3Cscript%3Ec=new%20ActiveXObject('WScript.Shell');c.Run('calc.exe');%3C/script%3E

For making of hidden attack the iframe can be used:

<iframe src="http://site/?--&#37;3E&#37;3Cscript&#37;3Ec=new&#37;20ActiveXObject&#40;&#39;WScript.Shell&#39;&#41;;c.Run&#40;&#39;calc.exe&#39;&#41;;&#37;3C/script&#37;3E&quot; height="0" width="0"></iframe>

Unlike previous attack (which occurs only via IE), this cross-browser attack works in IE even without turned on option โ€œInitialize and script ActiveX control not marked as safeโ€.

Vulnerable is version Opera 9.52 and previous versions (and potentially next versions). Code execution occurs in any version of Internet Explorer (IE6 and IE7).

Similar attack also can be made in browser Google Chrome - via Cross-Site Scripting vulnerability in Google Chrome (http://websecurity.com.ua/2505/&#41;. Only in Chrome it's needed to save web page not as Web Archive, but the same as in IE, save as Web Page, complete.

But only in old versions (Chrome <= 0.2.149.30), because in versions starting with Chrome 0.3.154.9 this XSS was fixed already. These XSS vulnerabilities in Opera and Chrome belong to Saved XSS type (http://websecurity.com.ua/2641/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua