A co-worker and I have been working diligently on a CSRF exploit via a macro written in VBA. The site we have been working on allows users to send excel files back and forth. My co-worker found there is this nice little VB object called InternetExplorer.Application that basically allows you to invoke an instance of IE through a macro. The "InternetExplorer" ActiveX control gives the attacker full access to not only the persisted cookies, but also the session/temporary cookies that exist in all currently open instances of IE. Note that the "same origin policy" *does not* apply. We can grab the DOM (including persisted and session cookies) of any site/origin.
One example we did to prove this was login at a site with remember-me disabled. We ran the script which then showed all of my cookies at various domains, including the previously mentioned site which only had session cookies. Note the InternetExplorer ActiveX control respects the HttpOnly flag.
Our Proof of Concept macro will recursively iterate through all your IE Favorites and request the current available cookies to each one. If you happen to be currently logged in to that site via IE an authenticated cookie will be displayed in a popup box. We all know what this means. This means once we create this new IE.App object we can now utilize any authenticated sessions a user may have open and send requests on behalf of the user. This IE.App object does not behave like the IE browser does. If you open two instances of your IE browser it will not share session cookies between them because of Same Origin Policy (SOP) restrictions. In the case of invoking the IE.App object it bypasses any SOP security settings. The code is pretty straight forward and is simplified below:
{pseudocode}
Dim ie As InternetExplorer
Set ie = New InternetExplorer
Files = iterate(Favorites dir)
Foreach file
url = readFile(file)
ie.Navigate = url
Do Until ie.ReadyState = READYSTATE_COMPLETE Loop
' Now we get the cookie
MsgBox ie.Document.Cookie
{/pseudocode}
Obviously the code in is a much better PoC (bigger, faster, stronger), but the above is a quick synopsis. In order to have this code run, the victim must either be tricked into opening a malicious Excel/PP/Word document or have really low browser security setttings and visit a site that has VBScript which tries to instantiatethe object within the browser (this is THE WORST situation, but also pretty unlikely).
The general risk of this issue seems pretty low although it is definitely a way around any form of CSRF protection since we could potentially parse the DOM and send any CSRFToken with the request.
We understand a macro is basically unmanaged VBscript code and can do anything on the user’s system for which they are authorized, but the fact the InternetExplorer ActiveX control allows for seeing all current session cookies is a bit scary.
14 comments:
bookmarked!!, I like your web site!
Feel free to visit my web site acapulco mexico attractions
I wanted to thank you for this good read!
! I certainly loved every little bit of it. I have got you book-marked to check out new things you post…
My page : http://dilandaump3.webs.com
Ahaa, its gоod dialogue conceгnіng thіѕ artiсle
here at this ωеbpage, I hаve read all that, so noω me alsο commеntіng at this
place.
Here is my website - hotmail iniciar sesion
This piece of writing will assist the internet viewers for setting up new webpage or even a blog
from start to end.
Feel free to surf my web-site ... adams golf set
I will immediately seize your rss feed as I can't find your email subscription link or e-newsletter service. Do you have any? Please allow me recognize so that I may subscribe. Thanks.
Also visit my site; Hotmail Delivery
Hi there, after reading this amazing post i
am as well cheerful to share my knowledge here with colleagues.
Feel free to visit my web blog; addiasnike
Good web site you have got here.. It's difficult to find excellent writing like yours these days. I really appreciate people like you! Take care!!
Have a look at my weblog adoption gifts for birth mother
Hmm is anyone else having problems with the images on this blog loading?
I'm trying to find out if its a problem on my end or if it's the blog.
Any feed-back would be greatly appreciated.
Also visit my web site: marucha.wordpress.com
Also see my webpage: addicting games shooting games
I could not resist commenting. Exceptionally well written!
Here is my blog post :: acura rdx 2008
I could not resist commenting. Exceptionally well written!
my web page: acura rdx 2008
my site: http://teamluckyenuff.com/?p=66
Pretty component of content. I just stumbled upon your weblog and
in accession capital to assert that I get actually loved account your weblog posts.
Any way I'll be subscribing on your feeds and even I achievement you get entry to consistently quickly.
My web site nokia e5 specification
Hey would you mind letting me knοw ωhісh hоstіng сompany you're utilizing? I'vе loаdеԁ уоur blog in 3 diffеrеnt browѕeгs and ӏ must saу thiѕ blog loads a lot quіcker then moѕt.
Cаn уou ѕuggest a good web hοsting
pгovideг аt a hοnest price?
Сheers, I аpρrecіate it!
Feel frеe to visіt mу pаge .
.. http://aserenityafh.com
Unquestionably believe thаt that you stated. Youг favourite justifіcatiοn seemed to be at the web the ѕіmplest fаctor to take intо account
of. I say to you, I defіnіtely gеt iгkеԁ eνеn
as people consideг ωorries that they juѕt
do not recοgnise about. Yοu controllеd to hit thе
nail upon the highest and outlined out the entire thіng wіthout having siԁе-effects , folkѕ сοuld take a
ѕignal. Will probably be baсκ
to get mоre. Thanks
Feel free to surf tо my site: http://mini-unterwegs.blogspot.ca/
Thanks fοr finally tаlking about > "SOP Bypass and CSRF via Macro" < Loved it!
Feel free to surf to my website - creаr faceboоk gratiѕ
Post a Comment