Playing with IE11 ActiveX 0days

About Me

• James Lee

• Math geek

• Passionate about Security vulnerability research

• The ways to render HTML in Internet Explorer 11

• IE11 Information disclosure and Content spoofing

• HTML Help viewer

• Local file detection and Top frame issue

Agenda

The ways to render HTML in IE11

• IFRAME, OBJECT and even an EMBED tag.

• implementation.createDocument, implementation.createHTMLDocument and XMLHttpRequest

• ActiveXObject

• implementation.createDocument, implementation.createHTMLDocument and XMLHttpRequest return a document object instead of text/xml

• These documents have their limitations, they miss methods like window.open and more

• ActiveXObject has limitations also, but it's capable of running scripts.

The ways to render HTML in IE11

• You can logically render invisible scripts by instantiating an htmlFile with ActiveXObject.

• test = new ActiveXObject("htmlFile");

• This ActiveXObject returns a reference to its document object.

The ways to render HTML in IE11

• Local file detection issue

• 16 == RT_VERSION (Source: https://msdn.microsoft.com/en-us/library/windows/desktop/ms648009(v=vs.85).aspx )

• 16”\\”e0 == 16e0 == 16*e^0 == 16

IE11 Information disclosure and Content spoofing

IE11 Information disclosure and Content spoofing

• Create a htmlFile from an IFRAME

• Destroy the contents of the IFRAME, while keeping wut1 alive, (because we have a reference to it outside the IFRAME itself)

• Create a new htmlFile inside the previous one

• Create another htmlFile from an IFRAME

• Done, its window.open method can't be seen

• Now we can throw Pop-ups with no restrictions while the user is navigating on any site

IE11 Information disclosure and Content spoofing

IE11 Information disclosure and Content spoofing

IE11 Information disclosure and Content spoofing

• HTML Help Executable has an embedded IE11 feature

• hh.exe http://temporarygc.blogspot.co.uk

HTML Help viewer

• iexplore.exe inside hh.exe runs as Medium Integrity Level

• So basically you are dealing with the Medium IL Internet Explorer while you are browsing an Internet Zone.

• ActiveX controls via HTML?

HTML Help viewer

• Well it turns out ActiveX/COM controls are restricted due to other Device guard UMCI bypass discovery (Source: https://msitpros.com/?p=3909)

• So you will get this error when you instantiate WScript.Shell

HTML Help viewer

• It’s quite easy to bypass MSHTML restriction

• I used a mp3 player to detect the file presence

Local file detection

• You can change param.url to your desired file to detect.

• But you will get a prompt before the detection.

Local file detection

• I used invalid mp3 file name “CONIN$.mp3” to bypass the prompt

Local file detection

Local file detection

• Using an IFRAME, you can detect the file without user interaction

Local file detection

CVE-2017-11768

• Using an ActiveX mp3 player you can spoof the full screen

• Imagine if your Windows UI screen is spoofed and something is going on silently behind the screen

Windows UI Spoofing + Executing Arbitrary Protocol?

Windows UI Spoofing + Executing Arbitrary Protocol?

• about: URI scheme provides a similar (though more limited) facility to the data: URI scheme

• iexplore.exe in hh.exe thinks it’s the top when you run ActiveXObject via about: URI scheme

About URI scheme Top frame issue

• We have an iframe pointing to about: URI scheme which can access this top window DOM bypassing the SOP policy.

• If we run it against the top window NO matter how deeply framed we are, IE thinks the main window was opened with scripting and it allows us to close it without confirmations.

• But we need to block the IFRAME thread so IE does not have a chance to destroy our reference

Passing a reference to the top

• We can simply use alert to prevent IE from destroying the ActiveXObject.

• We are using a setTimeout to execute the blocking alert. That’s because if we do the alert directly on the iframe, it will block the UI and not execute what’s coming below. 

• Now we can freely access this blank from our domainless htmlFile. (SOP bypass/UXSS)

Passing a reference to the top

• Our script will always be with you even after iexplore.exe is closed without confirmations.

Passing a reference to the top

Passing a reference to the top

Q&A

Thanks!