help file vulnerability

Comparitech researchers have identified multiple vulnerabilities that could increase the impact of a phishing attack on all Windows users running up to and including Windows 10 – despite previously being patched by Microsoft.

Vulnerabilities reported to be exploited by Chinese state-sponsored espionage group APT41.

What is the issue?

Comparitech researchers uncovered multiple security vulnerabilities on Windows 10 that can be exploited through Microsoft’s help documentation file extension and the programs used to open them.

Attackers can trick Windows users into downloading and opening malicious files through, for example, an email link or attachment. Windows’ default program used to open these files will execute code stored in the file, which can be used to launch an attack.

Help documentation on a Windows device was originally stored in compiled HTML files (CHM), denoted by the .chm file extension.

When you clicked on the “Help” option in a program, it would load help documentation in a viewer similar to a web browser complete with search, an index, and other navigation tools.

.chm file opened by HtmlHelper
A .chm file opened by HtmlHelper (hh.exe)

Microsoft now considers .chm files to be potentially dangerous. In fact, they are blocked by Outlook, Microsoft’s email client.

But there is one program that exists on nearly every Windows machine that still opens .chm files, and this is where our researchers focused their investigation. A program called HtmlHelper, which runs under the process name hh.exe, can open and execute CHM files. Unless you’ve altered your default programs, when you click on a CHM file, HtmlHelper will open and render it using Internet Explorer 7.

Attackers can place malicious content inside a CHM file and trick victims into opening it. HtmlHelper contains several vulnerabilities and bypasses many of Windows 10’s security policies, according to our research. Researchers confirmed such attacks work on all modern Windows operating systems including the latest version of Windows 10 as of the time of writing.

What is the threat?

Attackers could remotely log into your Windows PC and enjoy unfettered access. In a worst case scenario this could mean cybercriminals…

  • Rifle through your personal and work files – opening yourself up to identity theft, blackmail or sextortion
  • Use ransomware to lock you out
  • Plant malware such as a keylogger to potentially unlock access to services like your online banking
  • Hijack your machine and use for nefarious purposes such as cryptojacking
  • Launch further attacks within your network and distribute malware to your contacts

Are hackers abusing HtmlHelper and CHM files?

Yes!

Malicious CHM files have been used by several major hacking groups and advanced persistent threat (APT) organizations.

Notably, APT41 from China has targeted organizations in at least 14 countries. They are a state-sponsored threat actor that routinely uses spear phishing and infected CHM files to compromise victims. Their targets include the healthcare, telecom, and high tech sectors, and their goal is often to steal intellectual property.

It’s not just major hacking groups and high-profile targets though; the use of malicious CHM files are well documented.

A typical spear phishing attempt would be an email with a malicious CHM file attached.

chm phishing email
Malicious CHM attachment and phishing email example.

What has Microsoft done?

Microsoft now blocks CHM files in its email client Outlook and acknowledges they are dangerous. But CHM files are still opened by HtmlHelper by default in most modern Windows operating systems, including the latest version of Windows 10 as of time of writing.

Microsoft patched out some of the vulnerabilities that allow CHM files to be used by hackers for remote code execution back in 2014. Those actions include blocking ActiveX and not allowing CHM files to be opened from Edge or Internet Explorer. However, our researchers found they were still able to reproduce exploits that Microsoft said were patched.

Microsoft told Comparitech researchers that the HtmlHelper vulnerability they reported “does not meet the definition of a security vulnerability for servicing.” When Comparitech asked why this was the case, a Microsoft spokesperson replied with the following statement:

“The issue described does not meet our criteria for servicing because it relies on social engineering or a device to already be compromised. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”

How can Windows users protect themselves?

Don’t open CHM files you don’t recognize.

Researchers strongly suggest organizations remove hh.exe (HtmlHelper) from all client and server machines.

If you believe a CHM file is not malicious, you can first decompile it to read the content before opening it normally. Use this command:

hh.exe -decompile folder file.chm

Additional Technical Information

The proof-of-concept attacks that our research team was able to reproduce on a fully updated Windows 10 machine include:

  • NTLM Hash leak
  • Remote code execution
  • Bypass system policies to download files from third parties

… and several more.

To reproduce attacks, researchers created malicious CHM files using this tutorial on Github.

Comparitech researchers reported to Microsoft multiple CHM-related vulnerabilities found in HtmlHelper on Windows 10. Researchers performed proof-of-concept exploits on all of the following vulnerabilities:

NTLM Hash Leak

NTLM, or NTHash, is how Windows encrypts and stores passwords on PCs. A hash of the password is stored rather than the plaintext password. Normally, to log into Windows, the user types in their password, Windows hashes it using NTLM, and if the output matches the hash stored on the system, the user is authenticated and logged in.

ntlm hash leak
NTLM Hashes leaked by Windows through CHM and HtmlHelper exploit.

An NTLM hash leak occurs when one of these hashes is stolen. Attackers can then use the hash to authenticate themselves and escalate privileges. The hashes can also be used in pass-the-hash attacks in which the attacker authenticates a remote server or service with the hash of the user’s password instead of typing in the plaintext.

ie7 user agent

Researchers found hackers can steal hashes using HtmlHelper, which renders content in Internet Explorer 7. IE7 hasn’t been updated in over a decade, yet it’s the default option used by HtmlHelper and can’t be changed. It has no hash leak prevention.

ntlm hash leak 2

Researchers reproduced the attack using an infected CHM file. They used HtmlHelper on the file to expose the NTLM hash. Researchers were then able to either intercept the hash or send it to a third-party server.

Remote command execution

Attackers can execute any malicious command on the target machine using an infected .htm file. The .htm file is converted to CHM, which executes commands without any additional approval from the user.

Researchers launched the calculator app through a CHM file as proof of concept:

htmlhelp chm rce vuln

ActiveX

ActiveX, a software framework made by Microsoft, has long been deprecated. But because HtmlHelper renders everything in Internet Explorer 7, it still supports ActiveX.

activex supported

Researchers could run any basic commands on ActiveX without approval by the user. Although security warnings popped up in some instances, users could simply click Yes to continue.

When it was still in use, ActiveX made it possible for websites to embed videos and games and allow users to interact with certain types of elements in the browser, such as toolbars. But Microsoft now strongly discourages use of ActiveX because vulnerabilities in it can be used to steal data, install malware, or remotely hijack a device.