[Full-Disclosure] RE: How to Break Windows XP SP2 + Internet Explorer 6 SP2

From: Thor Larholm (thor_at_pivx.com)
Date: 10/20/04

  • Next message: Luigi Auriemma: "Buffer-overflow in Age of Sail II 1.04.151"
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <bugtraq@securityfocus.com>
    Date: Wed, 20 Oct 2004 08:07:10 -0700

    I successfully reproduced this exploit on a fully patched XPSP2
    installation and can verify that malware.htm is planted locally after
    which HTML Help is used to launch it and circumvent the XPSP2 browser
    security improvements, compromising the system.

    However, this exploit did not work on any systems with Qwik-Fix Pro
    installed, from Windows 95 to Windows XP Service Pack 2. A free Home
    edition and a trial Corporate edition is available for download at


    Before you can successfully use any Drag'n'Drop technique or script
    shortcuts to plant a file on the local system you first need to be able
    to reference local content. If you cannot reference local contents or
    directories from the Internet zone then you cannot retrieve the window
    handle that is necessary for any Drag'n'Drop exploits or any
    cross-domain scripting exploits.

    IE6SP1 initially blocked all direct references to the file:// and RES://
    protocols which I demonstrated how to circumvent through the OBJECT
    element. This was quickly patched in the next cumulative security update
    and thereby blocked the traditional cross-domain scripting exploits.
    XPSP2 went further and tightened down the Local Machine Zone with the
    recommendations PivX Labs made public in late 2003 so that even if you
    could find a way to reference local content and subsequently inject
    scripting through a cross-domain vulnerability you would not be able to
    accomplish anything. This LMZ lockdown has a per-process exception list
    in which HTML Help is included.

    When the LMZ is locked down attackers have to find alternative attack
    vectors, of which the Drag'n'Drop vulnerability is a prime example. When
    IE renders an IMG element it gives priority to the SRC attribute but
    when IE drops an IMG element on an arbitrary window it gives priority to
    the DYNSRC attribute. If you are able to reference any local content you
    can therefore drop the DYNSRC attribute of the IMG element on the window
    with local content and thereby plant a file on the file system in a
    known location.

    The browser security improvements in XPSP2 does not include further
    restrictions on referencing local content which is why the Drag'n'Drop
    exploits to this date affect fully patched XPSP2 systems. Qwik-Fix Pro
    restricts local content referencing through a number of means of which
    one is responsible for protecting against this exploit:

    In order for http-equiv's exploit to work the "ceegar.html" file uses
    the AnchorClick behavior to open "C:\WINDOWS\PCHealth\" in a named
    window which is then used as a drop target for the DYNSRC pointing to
    the "malwarez" file. When any behavior in IE tries to list a local
    directory it uses the Shell.Explorer ActiveX object, an object which has
    no justification of use inside the browser but which is heavily used by
    Windows Explorer itself.

    Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE
    from referencing local directories in a window object, whether it's
    through AnchorClick behavior or some other approach that we discover
    tomorrow. The GUID for Shell.Explorer is
    {8856F961-340A-11D0-A96B-00C04FD705A2} and Knowledge Base article 240797
    (http://support.microsoft.com/?kbid=240797 ) explains how the process

    PivX Labs released a freely available registry fix that sets the Kill
    Bit on Shell.Explorer almost 2 months ago which can be downloaded from


    For clarity, here are the file contents:

    === neutershellexplorer.reg ===
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    "Compatibility Flags"=dword:00000400
    === neutershellexplorer.reg ===

    PivX Labs has covered this topic several times before on the Unpatched
    mailing list which receives advance notification of our security
    research, including several Win95-XPSP2 vulnerabilities that will be
    released in the interim future. For more information or to subscribe you
    can visit



    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    23 Corporate Plaza #280
    Newport Beach, CA 92660
    Stock symbol: (PIVX.OB)
    Phone: +1 (949) 231-8496
    PGP: 0x4207AEE9
    B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

    PivX defines a new genre in Desktop Security: Proactive Threat

    -----Original Message-----
    From: Windows NTBugtraq Mailing List
    Sent: Wednesday, October 20, 2004 5:36 AM
    Subject: How to Break Windows XP SP2 + Internet Explorer 6 SP2


    Snip http://tinyurl.com/4xeww

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Luigi Auriemma: "Buffer-overflow in Age of Sail II 1.04.151"