Today I want to reborn my blog and share a little and very simple (and new?) trick – how to get RCE on the client side via jsonp in IE (any verison). This technique looks like on “reflected file download” from last BlackHat.

JSONP – a json data with «padding» – some callback function that allows to interact with received data on the client side. It usually needed in situation when we have 2 domains and due SOP we can’t read response from domain B while sending request from domain A.
 A typical example:
<!-- Request sent via a script tag -->
<script src=""></script>
<!-- Data received as an execution of the predefined function. -->
<script> function apiStatus(data) { console.log(data.status); } </script>
What we know about JSONP threats?
  1. JSONP leaks
  2. XSS via JSON / JSONP callbacks
  3. Advanced vector: “rosetta flash”
  4. ?

1. JSONP leaks

In case when server side returns sensitive data (e.g. based on user’s cookies) and doesn’t check source of request – attacker can steal this data. A typical example is my report on H1 (CloudFlare) –

2. XSS via JSON / JSONP callbacks

In case when JSON(P) response has a wrong content type like a “text/html” attacker probably can change callback (or data in json array) to XSS vector. In some cases it’s possible to spoof content type via extension (IE only) –

3. Advanced vector: “rosetta flash”

Just read this blogpost – In two words – attacker can bypass SOP using jsonp and flash (specifically crafted swf file without any special symbols). Fixed in last flash plugin versions.

4. ?

And… The subject of this post – RCE in any of IE version.
If Internet Explorer (IE) see in response one from follow content types:
  • text/javascript
  • application/javascript
  • application/x-javascript

upd: application/json doens’t work // cc

(and probably some others) then it tries to save or execute this file like a windows host js (and it not depends from extension of this file in request).
If user choose “open” button and click “confirm” and “confirm” again (like a with a typical exe file) this file will execute.

We can create via callback this file with any content from trusted domain. Example:“WScript.Shell”).Exec(“calc”)//

Снимок экрана 2015-01-24 в 19.46.19
Open this link in IE and click twice at open button – see calc window.



UPD: Before posting this post I tried to find same technique in Google – but nothing. Today Denis wrote me and gave this link – So, it isn’t new 🙂

3696 Total Views 3 Views Today

January 24th, 2015

Posted In: tricks