Our Blog

MS Threat Modeller

Reading time ~2 min

Just arbitrary coolness regarding Microsoft’s Threat Modeller.  It’s XSS-ible…

Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX’es, or even redirect to site for exploiting browser vulnerabilities.

Never happened unless there are pictures, so refer below…

XSS strings in MS Threat Modeller

Cute alert()

Redirect to www.sensepost.com

A little further playing, along with some vulnerable ActiveX controls, and we find ourselves with a nice mechanism for getting remote code execution… :)


Finally, a little update.  After reporting the issue to secure@microsoft.com, we get a response from Nate mentioning the following:

“Thank you again for bringing this to our attention. Given that this product has been deprecated, the MSRC won’t open a case to investigate the issue. I am however going to contact the Download Center and see if we can get the download removed since new tools/versions are available. If you find the same or other issues in the current version/tool please let us know. If you have any questions or concerns please let me know.”

A subsequent Google for the Microsoft Threat Modeling (sic) Tool this morning, provides the following…

Googling for Threat Modeling Tool

The first link is the package we’re looking for.  Clicking on the Cached page, we get:

Google Cached page

Clicking on the “really-real” link, we get the following…

Page Not Found