Today I want to reborn my blog and share a little and very simple (and new?) trick – how to get RCE on the client side via jsonp in IE (any verison). This technique looks like on “reflected file download” from last BlackHat.

JSONP – a json data with «padding» – some callback function that allows to interact with received data on the client side. It usually needed in situation when we have 2 domains and due SOP we can’t read response from domain B while sending request from domain A.
 A typical example:
What we know about JSONP threats?
  1. JSONP leaks
  2. XSS via JSON / JSONP callbacks
  3. Advanced vector: “rosetta flash”
  4. ?

1. JSONP leaks

In case when server side returns sensitive data (e.g. based on user’s cookies) and doesn’t check source of request – attacker can steal this data. A typical example is my report on H1 (CloudFlare) –

2. XSS via JSON / JSONP callbacks

In case when JSON(P) response has a wrong content type like a “text/html” attacker probably can change callback (or data in json array) to XSS vector. In some cases it’s possible to spoof content type via extension (IE only) –

3. Advanced vector: “rosetta flash”

Just read this blogpost – In two words – attacker can bypass SOP using jsonp and flash (specifically crafted swf file without any special symbols). Fixed in last flash plugin versions.

4. ?

And… The subject of this post – RCE in any of IE version.
If Internet Explorer (IE) see in response one from follow content types:
  • text/javascript
  • application/javascript
  • application/x-javascript

upd: application/json doens’t work // cc

(and probably some others) then it tries to save or execute this file like a windows host js (and it not depends from extension of this file in request).
If user choose “open” button and click “confirm” and “confirm” again (like a with a typical exe file) this file will execute.

We can create via callback this file with any content from trusted domain. Example:“WScript.Shell”).Exec(“calc”)//

Снимок экрана 2015-01-24 в 19.46.19
Open this link in IE and click twice at open button – see calc window.



UPD: Before posting this post I tried to find same technique in Google – but nothing. Today Denis wrote me and gave this link – So, it isn’t new 🙂

765 Total Views 6 Views Today

January 24th, 2015

Posted In: tricks

  • Oleg Neumyvakin

    Can’t reproduce in IE 11.0.9600.1751

    • sergeybelove

      Thanks for reply. Any details?

      • Oleg Neumyvakin

        Well, as in your video I’ve see two configrmation dialogs, and finally opens Notepad window with following content:

        new ActiveXObject(�WScript.Shell�).Exec(�calc�)//({“ID”:”583836c82370ac4c85dbaea3e4b6b5b6″,”CS”:”3″,”LV”:”201501″,”V”:”1″})