Today I want to reborn my blog and share a little and very simple (and new?) trick – how to get RCE on the client side via jsonp in IE (any verison). This technique looks like on “reflected file download” from last BlackHat.

JSONP – a json data with «padding» – some callback function that allows to interact with received data on the client side. It usually needed in situation when we have 2 domains and due SOP we can’t read response from domain B while sending request from domain A.
 A typical example:
What we know about JSONP threats?
  1. JSONP leaks
  2. XSS via JSON / JSONP callbacks
  3. Advanced vector: “rosetta flash”
  4. ?

1. JSONP leaks

In case when server side returns sensitive data (e.g. based on user’s cookies) and doesn’t check source of request – attacker can steal this data. A typical example is my report on H1 (CloudFlare) – https://hackerone.com/reports/10841.

2. XSS via JSON / JSONP callbacks

In case when JSON(P) response has a wrong content type like a “text/html” attacker probably can change callback (or data in json array) to XSS vector. In some cases it’s possible to spoof content type via extension (IE only) – https://www.superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications

3. Advanced vector: “rosetta flash”

Just read this blogpost – https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/. In two words – attacker can bypass SOP using jsonp and flash (specifically crafted swf file without any special symbols). Fixed in last flash plugin versions.

4. ?

And… The subject of this post – RCE in any of IE version.
If Internet Explorer (IE) see in response one from follow content types:
  • text/javascript
  • application/javascript
  • application/x-javascript

upd: application/json doens’t work // cc https://twitter.com/maxon3/status/559050462540754944

(and probably some others) then it tries to save or execute this file like a windows host js (and it not depends from extension of this file in request).
If user choose “open” button and click “confirm” and “confirm” again (like a with a typical exe file) this file will execute.

We can create via callback this file with any content from trusted domain. Example:

http://cs.microsoft.com/getid.js?jsoncb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//

Снимок экрана 2015-01-24 в 19.46.19
Open this link in IE and click twice at open button – see calc window.

 

Video

UPD: Before posting this post I tried to find same technique in Google – but nothing. Today Denis wrote me and gave this link – https://twitter.com/dnkolegov/status/531737522872012800. So, it isn’t new 🙂

765 Total Views 6 Views Today

January 24th, 2015

Posted In: tricks

  • Oleg Neumyvakin

    Can’t reproduce in IE 11.0.9600.1751

    • sergeybelove

      Thanks for reply. Any details?

      • Oleg Neumyvakin

        Well, as in your video I’ve see two configrmation dialogs, and finally opens Notepad window with following content:

        new ActiveXObject(�WScript.Shell�).Exec(�calc�)//({“ID”:”583836c82370ac4c85dbaea3e4b6b5b6″,”CS”:”3″,”LV”:”201501″,”V”:”1″})