How We Are Able To Hack Any Company By Sending Message – $20,000 Bounty [CVE-2021–34506]

Story Of Universal XSS (uXSS) On Microsoft Edge

Hello Folks , I hope everyone is doing well in this pandemic & making full use of it for learning new stuff in their daily life . so this a story about hacking into any companies even the big ones are on list like facebook , google , microsoft etc. so how does this all begin to know this we need to start from scratch .

So On June 3rd Me @Th3Pr0xyB0y (Vansh Devgan) & My Friend @MrRajputHacker (Shivam Kumar Singh) were hunting together on mail.ru subdomain(program form Hackerone) unfortunately that program is in Russian so as we know Chrome does automatic translation of pages from different languages but we all use Firefox with Burpsuite to play with web applications so when we were trying to find vulnerabilities on redacted.com (subdomain of mail.ru) then we faced a lot of issues while translating in Firefox .

We tried to look for some extensions on Firefox for translating the page into our plain readable english while googling we found that there are so many extensions which got removed as there contain vulnerable code then we got to think that how an vulnerable extension can impact browser users then after a while i thought these extensions have universal access to any site on browser like if you are on facebook.com they can access complete DOM of that page , cookies & anything which is possible with javascript so we thought to drop the idea of finding flaw in mail.ru (subdomain) .

Here comes the interesting part as MrRajputHacker has found several vulnerabilities in Microsoft he started talking about findings flaws In Microsoft but I told him to how about exploiting an Browser Or Pre-Built Extensions then as MrRajputHacker is interested in finding flaws In Microsoft . we (Th3Pr0xyB0y & MrRajputHacker) decided Are Target To Be Microsoft Edge As It Has An Bounty Program .

So Th3Pr0xyB0y & MrRajputHacker Thought before moving finally to Microsoft Edge Browser let’s try to translate the website in Microsoft edge & test it one last time (as edge has new update it contains new Translator By Microsoft) so we went to the same site and as are mail.ru was filled with XSS Payloads we found out that as soon as we translated page we got so many popups on Microsoft Edge it looked strange we again went to chrome and did same but this time no popup !

So we both started digging into platform and found that the Microsoft Edge (Internal Translator Which Comes Pre-Installed) has an vulnerable code to which actually takes any html tags having an “>img tag without sanitising the input or converting the payload into text while translating so actually that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as an javascript as there were no proper validation check which does sanitisation or convert complete DOM into text and then process it for translation .

Below is the code snippet which is affected it seems that function startPageTranslation is the function which was affected .

function translateInternal(originalLang, targetLang, shouldTranslateFullPageInOneGo) {
        resetDataBeforeTranslateCall();
        try {
            originalLang = GetEdgeLanguageCode(originalLang);
            targetLang = GetEdgeLanguageCode(targetLang);
            /**
           * This will call the startPageTranslation function of edge script
           */
            Microsoft.JS.startPageTranslation(originalLang, targetLang, shouldTranslateFullPageInOneGo, ""/*domTranslatorSessionId*/
            , ""/*token*/
            , onSuccessCallback, onTranslateApiCalled, onErrorCallback);
            console.error("edge Translation started");
        } catch (err) {
            console.error("Translate: " + err);
            errorCode = ERROR["UNEXPECTED_SCRIPT_ERROR"];
            return false;
        }
        return true;

So to prove that the vulnerability exist Me (Th3Pr0xyB0y) & MrRajputHacker created an POC.html file which contains all text in different language with Famous XSS payload “><img src=x onerror=alert(1)>

You can find the code snippet below for POC.html file

<b><u>SOME TEXT IN DIFFERENT LANGUAGE </u></b>
<br>

Políticas de Privacidade
Usaremos seus dados pessoais para resolver disputas, solucionar problemas e aplicar nossos Termos e Condições de Uso.

<br>

Para prevenir abusos no app/site, o Badoo usa decisões automáticas e moderadores para bloquear contas, como parte de seu procedimento de moderação. Para isso, nós conferimos contas e mensagens para encontrar conteúdo que indicam quebra dos nossos Termos e Condições de Uso. Isso é feito através de uma




<b><u>OUR PAYLOAD IN TEXT FORM </u></b>
<br>
<br>



"><img src=x onerror=alert(1)>





<br>
<br>
<br>
Políticas de Privacidade
Usaremos seus dados pessoais para resolver disputas, solucionar problemas e aplicar nossos Termos e Condições de Uso.

Now Comes The Special Part Of This Blog Exploitation Or Steps To Reproduce & Description Vulnerability

Vulnerability Name — uXSS (Universal Cross Site Scripting)

Description Of Vulnerability 

Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.

Steps To Reproduce –

1- Download POC.html file from the above code snippet or copy paste code in file > name it as POC.html and save it

2- Start python server in same folder where your POC file is located on localhost using command given below

python3 -m http.server 80

3- Open Microsoft Edge ( Version 91.0.864.48 (Official build) (arm64)) & Visit http://localhost/POC.html

Most probably when you read this article it has been already updated to secure version so that is reason why you can’t reproduce

4-Translator will show you message that this page is another language would you like to translate ? click on translate button

5-Boom You got alert(1)

Please Note- The reason we spin up the python server even for html file is simple sometimes translator don’t show up for translating text on just opening of html page maybe because the document.location is about:html when we just open html file.

Two Conditions For Remote Exploit →

1-Person Should Be Using Microsoft Edge

2-Person Should Be Having AutoTranslate On

POC VIDEO →

Impact –

We Can Summarise The Impact In Four Statements Given Below

1- Any Page Reflecting “><img src=x onerror=alert(1)> (Or Any XSS Payload) Is Vulnerable We Just Need Reflection

2- Any Person From Another Country (Who Don’t Know English) Reading About XSS On English Site Is Vulnerable → As He Will Translate (XSS Will Popup)

3- All Users Using Edge Are Vulnerable To XSS Which Can Trigger On Any Website

4- Any Person Who Will Receive Email Or Message Having Content As Different Language + XSS Payload (Is Vulnerable)

There Are So Many Possibility Which Can Happen In This Attack Vector

This Vulnerability Known As Universal XSS

Now How We Could Have Hacked Google & Facebook

Facebook → we created an profile with name in different language and xss payload and sent an friend request to victim (he is using edge) as soon as he checks are profile he got hacked (xss popup because of auto translation)

Google → we have written review on google for an company HackENews with different language + xss payload any person browsing that review link got hacked (xss popup because of auto translation)

Youtube → we have created an youtube video entered an comment with xss payload+different language anyone viewing that video in edge got hacked (xss popup because of auto translation)

YOUTUBE AND GOOGLE HAS SAME POC VIDEO

Windows Store Application → we found that web based application (example instagram) on windows store is also vulnerable with this attack as windows stores ships application with same Microsoft Edge Translator Which Was Responsible For Triggering uXSS (Universal XSS) Attack .

https://blog.cyberxplore.com/media/08178a6875273cf79d8d4255192a1a29uXSS Microsoft Edge Translator Vulnerability POC CVE-2021–34506

Timeline

3rd June 2021 : Report sent To Microsoft
7th June 2021 : Reply from Microsoft Reviewing 
8th June 2021 : Additional Impact Information Sent
15th June 2021 : Report Triaged 
17th June 2021 : Awarded $20000 bounty
19th June 2021 : Pre-Release Patch
24th June 2021 : Patch Update Pushed & CVE ASSIGNED As CVE-2021–34506

Read Microsoft Release Notes & Acknowledgement Here

uXSS Microsoft Edge Translator Bounty

Resources To Learn –

1- Port-swigger Labs

2- Acuentix

3- Hacker-one Hactivity

Thanks Everyone For Reading Don’t Forget To Leave A Clap If You Like It .

Follow Us –

Twitter → @MrRajputHacker @Th3Pr0xyB0y

Instagram → @MrRajputHacker @vanshdevgan

Linkedin → MrRajputHacker @th3pr0xyb0y

Medium → @mrrajputhacker @th3pr0xyb0y

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top