[Full-Disclosure] Microsoft Help and Support Center argument injection vulnerability

From: Jouko Pynnonen (jouko_at_iki.fi)
Date: 04/13/04

  • Next message: Bugtraq Security Systems: "[Full-Disclosure] ron1n phone home, episode 7"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 13 Apr 2004 21:25:20 +0300
    
    

    OVERVIEW
    ========

    "Help and Support Center (HSC) is a feature in Windows that provides
    help on a variety of topics" (from www.microsoft.com). It can be
    accessed via HCP: URLs. HSC is installed by default on Windows XP and
    Windows Server 2003 systems.

    An argument injection vulnerability in HSC allows an attacker to run
    arbitrary code when the victim opens a specially formatted HCP: URL.
    The user may be automatically directed to such URL when a web page is
    viewed. The issue can also be exploited via e-mail.

    DETAILS
    =======

    The HSC installation contains various HTML files, which of some are
    intended to be used by all web pages and some are intented for HSC's
    internal use. The HTML files belong in the My Computer Zone because
    they require e.g. the ability to launch external helper programs with
    JavaScript.

    By using quote symbols in the URL an attacker can pass arbitrary
    command line arguments to HelpCtr.exe, the program handling HCP URLs.
    Certain arguments allow the attacker to open any of the HSC's HTML
    files instead of just the "public" ones. This allows an attacker to
    inject JavaScript code which will be run in the context of these HTML
    files. In this way the attacker can run scripts in the My Computer
    Zone, which can e.g. download an start an attacker-supplied EXE
    program.

    By default, HCP ships with Windows XP and Windows 2003. An exploit was
    produced to test the vulnerability, and both operating systems were
    found vulnerable. The attack succeeds even with Windows 2003's Enhanced
    Security Configuration enabled, because no ActiveX or Javascript is
    needed in Internet Explorer directly - the script is injected in HTML
    files opened by Help and Support Center, not Internet Explorer.

    HSC isn't included in Windows systems prior to XP, so default
    installations of the older OSes aren't vulnerable.

    Outlook (Express) with recent security fixes mitigates the e-mail
    vector so that automatic redirection can't be done but some user
    interaction is required (clicking on a link).

    SOLUTION
    ========

    Microsoft was contacted on November 5th, 2003. A patch has been
    produced to correct the vulnerability. Microsoft classifies the
    vulnerability in the highest, critical severity category.

    Information about the patch can be found at

      http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    CREDITS
    =======

    The vulnerability was discovered and researched by Jouko Pynnonen,
    Finland.

    -- 
    Jouko Pynnönen          Web: http://iki.fi/jouko/
    jouko@iki.fi            GSM: +358 41 5504555
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Bugtraq Security Systems: "[Full-Disclosure] ron1n phone home, episode 7"

    Relevant Pages