Trev built a test utility based off of the mhtml vulnerability the other day and I just got to thinking. It would be far more useful if this were built more as a framework instead of being just a stand alone file on a server somewhere. So, I went ahead and built one. You still need to call it from the server (not from a remote server) so to exploit this remotely you’d have to call an iframe to an html file (sample included) that instantiates the exploitation using the CGI script I included.

Clear as mud? Download it here. The CGI is pretty easy to read, the only trick is that it has to call itself three different times - once to get the JavaScript framework and twice more for the redirection. Using this makes exploitation of the MSIE mhtml vulnerability far easier. It still requires that you have CGI access on some site somewhere, and it also allows for a pretty serious redirection hole (I built optional restrictions into it if you like, but I turned it off by default).

For those of you who aren’t aware of what the mhtml bug is, it allows an attacker to force your browser to any other site (through redirection) and using the mhtml protocol with a redirection it allows the attacker to read the page as your browser would - complete cross domain leakage in MSIE 6.0 and 7.0 (due to a plugin with Outlook). Hopefully this is a good demonstration about how dangerous this bug is, because I think it’s been mostly conceptual up to this point. Thanks again to Trev for his demonstration - he definitely did the bulk of the work that this is based off of.

This entry was posted on Wednesday, January 31st, 2007 at 2:33 pm and is filed under XSS, Webappsec. You can leave a response as well.