More than twenty days ago, the first PoC for CVE-2015-0072 was released and as of 22 February 2015 it sill affects Internet Explorer 10 and 11 on both Windows 7 and Windows 8.1.
Today I had some free hours and I decided to understand better the exploit and to create a PoC by myself.
- Choose the target website (e.g.: http://target.com/).
- Create an iframe (if0) to sorce to the target website.
- Create an iframe (if1) sourcing a page from your domain which redirect to the target website after some time (say 2 seconds).
The first PoC implements the blocking operation using the confirm function (requiring user interaction) and modifies the content of the target webpaged (defacement effect). The PoC in  uses a synchronous HTTP GET as delay and steals the cookies from the target website.
MULTIPLE TARGETS PoC
To get my hands dirty, I decided to evolve the PoC in , by allowing the attacker to retrieve sequentially the cookies from multiple target websites. The source code is available at .
The idea is to create an exploit iframe. When loaded, it loads if0 and if1 for a certain target site. By introducing multiple exploit iframes an attacker can effectively retrieve the cookies from multiple domains.
Of course the process is highly ineffective: n * t, where n is the number of targeted sites and t the execution delay (5 seconds in this example). However, if the iframes are loaded after the page content, it’s possibile to execute the exploits in “background”: the user see the attacker page content, while the iframes do their work.
The major mitigation against CVE-2015-0072) is to set the HTTP header x-frame-option: DENY. However, as explained in , it doesn’t protect the website from reading cookies! The only mitigation is to set HttpOnly option and to invalidate the session cookie when the IP address changes.
-  First PoC: http://www.deusen.co.uk/items/insider3show.3362009741042107/
-  Advanced PoC: http://packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.html
-  Defence analysis: http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-cross-site-scripting-vulnerability-in-fully-patched-internet-explorer-10-and-11
-  My PoC: https://github.com/dbellavista/uxss-poc