[Full-Disclosure] iDEFENSE Security Advisory 04.13.04 - Microsoft Help and Support Center Argument Injection Vulnerability

Date: 04/13/04

  • Next message: Maxime Ducharme: "Re: [Full-Disclosure] Which worm?"
    To: <idlabs-advisories@idefense.com>
    Date: Tue, 13 Apr 2004 13:37:47 -0400

    Microsoft Help and Support Center Argument Injection Vulnerability

    iDEFENSE Security Advisory 04.13.04
    April 13, 2004


    Help and Support Center is a feature of Microsoft Windows that enables
    users to download and install software updates, check hardware
    compatibility and perform other system related tasks.


    Exploitation of an argument injection vulnerability in the Help and
    Support Center feature of Microsoft Corp.'s Windows operating system
    allows remote attackers to execute arbitrary code.

    HCP URIs are handled via the following command as defined in the
    registry key HKLM\SOFTWARE\Classes\HCP\shell\open\command:

    "C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe" -FromHCP -url "%1"

    The %1 is replaced by the argument to the HCP:// URI. By embedding
    quotes in the argument, it is possible to insert new arguments to the
    command. For example:

      HCP://" -url "../../unreachable.htm

    When the %1 is substituted in, this gives:

    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe -FromHP -url "HCP://"
    -url "../../unreachable.htm"

    An attacker can compromise a vulnerable system by crafting a URL to
    inject scripting code into a pre-existing file such as
    System\errors\connection.htm. The scripting code executes under the "My
    Computer" zone.


    Successful exploitation allows an attacker to remotely execute arbitrary
    code under the context of the My Computer zone. Script code executing
    with such privileges can be crafted to retrieve and execute arbitrary
    third-party code, thereby leading to further compromise.


    iDEFENSE has confirmed the existence of this vulnerability in the latest
    versions of Windows Server 2003 and Windows XP.


    As stated in Microsoft advisory MS03-044, the HCP protocol can be
    unregistered, thereby preventing successful exploitation. This can be
    accomplished by deleting the key 'HKEY_CLASSES_ROOT\HCP' using the
    windows registry editor.


    Microsoft has issued the following security bulletin to address this

    Microsoft Security Bulletin MS04-011
    Security Update for Microsoft Windows (835732)


    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2003-0907 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.


    [prior] Exploit disclosed to vendor by contributor
    January 12, 2004 Exploit acquired by iDEFENSE
    January 12, 2004 iDEFENSE clients notified
    January 19, 2004 iDEFENSE Initial contact with vendor
    January 23, 2004 Initial vendor reply
    April 13, 2004 Coordinated public disclosure


    Jouko Pynnönen (http://iki.fi/jouko) is credited with this discovery.

    Get paid for vulnerability research


    Copyright © 2004 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Maxime Ducharme: "Re: [Full-Disclosure] Which worm?"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #176
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    • SecurityFocus Microsoft Newsletter #83
      ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
    • SecurityFocus Microsoft Newsletter #242
      ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    • SecurityFocus Microsoft Newsletter #44
      ... Subject: SecurityFocus Microsoft Newsletter #44 ... MS Visual Studio RAD Support Buffer Overflow Vulnerability ... Microsoft Windows 2000 SMTP Improper Authentication Vulnerability ... Microsoft Windows 2000 Telnet Multiple Sessions DoS Vulnerability ...
    • SecurityFocus Microsoft Newsletter #77
      ... MICROSOFT VULNERABILITY SUMMARY ... Novell GroupWise Web Root Disclosure Vulnerability ... Microsoft Windows NT Security Policy Bypass Vulnerability ... CVS Server Global Variable Denial Of Service Vulnerability ...