Playing with IE11 ActiveX 0days About Me • James Lee • Math geek • Passionate about Security vulnerability research Agenda • The ways to render HTML in Internet Explorer 11 • IE11 Information disclosure and Content spoofing • HTML Help viewer • Local file detection and Top frame issue The ways to render HTML in IE11 • IFRAME, OBJECT and even an EMBED tag. • implementation.createDocument, implementation.createHTMLDocument and XMLHttpRequest • ActiveXObject The ways to render HTML in IE11 • implementation.createDocument, implementation.createHTMLDocument and XMLHttpRequest return a document object instead of text/xml • These documents have their limitations, they miss methods like window.open and more • ActiveXObject has limitations also, but it's capable of running scripts. The ways to render HTML in IE11 • You can logically render invisible scripts by instantiating an htmlFile with ActiveXObject. • test = new ActiveXObject("htmlFile"); • This ActiveXObject returns a reference to its document object. IE11 Information disclosure and Content spoofing • Local file detection issue • 16 == RT_VERSION (Source: https://msdn.microsoft.com/en- us/library/windows/desktop/ms648009(v=vs.85).aspx ) • 16”\\”e0 == 16e0 == 16*e^0 == 16 IE11 Information disclosure and Content spoofing • Create a htmlFile from an IFRAME • Destroy the contents of the IFRAME, while keeping wut1 alive, (because we have a reference to it outside the IFRAME itself) IE11 Information disclosure and Content spoofing • Create a new htmlFile inside the previous one • Create another htmlFile from an IFRAME • Done, its window.open method can't be seen • Now we can throw Pop-ups with no restrictions while the user is navigating on any site IE11 Information disclosure and Content spoofing IE11 Information disclosure and Content spoofing HTML Help viewer • HTML Help Executable has an embedded IE11 feature • hh.exe http://temporarygc.blogspot.co.uk HTML Help viewer • iexplore.exe inside hh.exe runs as Medium Integrity Level • So basically you are dealing with the Medium IL Internet Explorer while you are browsing an Internet Zone. • ActiveX controls via HTML? HTML Help viewer • Well it turns out ActiveX/COM controls are restricted due to other Device guard UMCI bypass discovery (Source: https:// msitpros.com/?p=3909) • So you will get this error when you instantiate WScript.Shell Local file detection • It’s quite easy to bypass MSHTML restriction • I used a mp3 player to detect the file presence Local file detection • You can change param.url to your desired file to detect. • But you will get a prompt before the detection. Local file detection • I used invalid mp3 file name “CONIN$.mp3” to bypass the prompt Local file detection Local file detection • Using an IFRAME, you can detect the file without user interaction CVE-2017-11768 Windows UI Spoofing + Executing Arbitrary Protocol? • Using an ActiveX mp3 player you can spoof the full screen • Imagine if your Windows UI screen is spoofed and something is going on silently behind the screen Windows UI Spoofing + Executing Arbitrary Protocol? About URI scheme Top frame issue • about: URI scheme provides a similar (though more limited) facility to the data: URI scheme • iexplore.exe in hh.exe thinks it’s the top when you run ActiveXObject via about: URI scheme Passing a reference to the top • We have an iframe pointing to about: URI scheme which can access this top window DOM bypassing the SOP policy. • If we run it against the top window NO matter how deeply framed we are, IE thinks the main window was opened with scripting and it allows us to close it without confirmations. • But we need to block the IFRAME thread so IE does not have a chance to destroy our reference Passing a reference to the top • We can simply use alert to prevent IE from destroying the ActiveXObject. • We are using a setTimeout to execute the blocking alert. That’s because if we do the alert directly on the iframe, it will block the UI and not execute what’s coming below. • Now we can freely access this blank from our domainless htmlFile. (SOP bypass/UXSS) Passing a reference to the top • Our script will always be with you even after iexplore.exe is closed without confirmations. Passing a reference to the top Q&A Thanks!.