Cross Browser Scripting Demo (with remote command execution)


CATS OUT OF THE BAG.... http://larholm.com/2007/07/10/internet-explorer-0day-exploit/


Remote Command Execution here (cmd.exe is launched)


Note - Netscape Navigator is also vulnerable via the navigatorurl: URI


Unregister the FIREFOXURI or you can simply install NoScript. NoScript users have been protected against all these exploits since June 22nd!
In addition to these vulnerabilities, NoScript protects against other chrome based privilege escalation and javascript: URLs being loaded in externally opened browser shells

This is a simple demo of Cross Browser Scripting through the use of registered URIs
When Firefox2 is installed, it registers the "firefoxurl" URI in the Windows Registry
This allows applications which render HTML (like Internet Explorer) to spawn an instance of Firefox.
The danger arises when parameters that are part of the firefoxurl: are passed directly to the Firefox.exe as options, without validation.
By using the firefoxurl URI, it is possible to use Internet Explorer (or other windows based browsers) to launch FireFox and immediately launch Javascript Code.
It is also possible to create a user profile, load arbitrary firefox options, and install global extensions, all without user consent.
Attacks using the firefoxurl URI will probably be initiated through the use of XSS or CSRF
Although these examples are very simple, other, more malicious attacks can probably be initiated.


A demonstration of each vulnerability is given below. The user must have both IE and FireFox installed. Although there are several ways to initiate this vulnerability, this particular example can be launched by doing the following:
1 - Close all Firefox browser windows
2 - Browse to this page with Internet Explorer and click one of the demonstration links
3 - Enjoy
4 - Close all Firefox windows before clicking on the next link



====================================================================
Command Execution here (cmd.exe is launched)


Universal XSS (Cross Browser Scripting) here

Creates a Profile named Xssniper on the local machine here (Take a look at your FireFox profiles after clicking this link!)

Load Local Content here (test.txt must exist on your local file system at c:\)

Load console here

Load JSConsole here

Safe Mode here

Install Global Extension here (The appropriate XPI file must exist)

====================================================================

Other Cross Application Scripting / URI Vulnerabilities (with remote command execution)



Trillian/AIM 0-day here