Today I want to reborn my blog and share a little and very simple (and new?) trick – how to get RCE on the client side via jsonp in IE (any verison). This technique looks like on “reflected file download” from last BlackHat.

JSONP – a json data with «padding» – some callback function that allows to interact with received data on the client side. It usually needed in situation when we have 2 domains and due SOP we can’t read response from domain B while sending request from domain A.
 A typical example:
<!-- Request sent via a script tag -->
<script src="https://status.github.com/api/status.json?callback=apiStatus"></script>
<!-- Data received as an execution of the predefined function. -->
<script> function apiStatus(data) { console.log(data.status); } </script>
What we know about JSONP threats?
  1. JSONP leaks
  2. XSS via JSON / JSONP callbacks
  3. Advanced vector: “rosetta flash”
  4. ?

1. JSONP leaks

In case when server side returns sensitive data (e.g. based on user’s cookies) and doesn’t check source of request – attacker can steal this data. A typical example is my report on H1 (CloudFlare) – https://hackerone.com/reports/10841.

2. XSS via JSON / JSONP callbacks

In case when JSON(P) response has a wrong content type like a “text/html” attacker probably can change callback (or data in json array) to XSS vector. In some cases it’s possible to spoof content type via extension (IE only) – https://www.superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications

3. Advanced vector: “rosetta flash”

Just read this blogpost – https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/. In two words – attacker can bypass SOP using jsonp and flash (specifically crafted swf file without any special symbols). Fixed in last flash plugin versions.

4. ?

And… The subject of this post – RCE in any of IE version.
If Internet Explorer (IE) see in response one from follow content types:
  • text/javascript
  • application/javascript
  • application/x-javascript

upd: application/json doens’t work // cc https://twitter.com/maxon3/status/559050462540754944

(and probably some others) then it tries to save or execute this file like a windows host js (and it not depends from extension of this file in request).
If user choose “open” button and click “confirm” and “confirm” again (like a with a typical exe file) this file will execute.

We can create via callback this file with any content from trusted domain. Example:

http://cs.microsoft.com/getid.js?jsoncb=new%20ActiveXObject(“WScript.Shell”).Exec(“calc”)//

Снимок экрана 2015-01-24 в 19.46.19
Open this link in IE and click twice at open button – see calc window.

 

Video

UPD: Before posting this post I tried to find same technique in Google – but nothing. Today Denis wrote me and gave this link – https://twitter.com/dnkolegov/status/531737522872012800. So, it isn’t new 🙂

3696 Total Views 3 Views Today

January 24th, 2015

Posted In: tricks