Dec 25 2013
Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)."
Files in .mht and .mhtml formats can execute any javascript code in the context of any domain. It's not enough for the majority of Chromium-based browsers but it is enough for Opera on Mac OS for example which opens mht files itself.
Because it's difficult to make user simply open an mht file, a solution was found in the form of html file that automatically downloads mht file and loads it in iframe, in which the mht file is still executed. Because html files are opened using a default browser this vulnerability exists not only in Opera.
Perfect condition for reproduce is automatical file downloading. On loading mht file from any site in iframe it will automatically downloaded in local /Downloads folder, where probably shall be previously downloaded html file. After mht file downloading we able to insert it in iframe where it will execute successfully.
We can refer to Chromium warning "this type of file can harm to blah-blah-blah", but user can open html download link from any other app (iMessage, rss-feed, tweetbot, etc) and downaload html file without any warnings, because it's not transfer any refer. Anyway everybody will press "keep" button, when chrome warn.. (:
Thus, user who opened link from external app and isn't changed default browser download settings is almost 100% vulnerable.
For demonstration, i attached mht and html files, which must save in one folder, and then open html file
Live demonstration: http://package.su/exploit.php
Chrome: 35 (with .mht support)
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=330663
The issue is similar to Chrome < 62 bug - CVE-2017-5124
MHT files should not be able specify origins. That breaks the download security mechanisms we have around local files.