HTML Help API - Privilege Escalation

From: Brett Moore (brett.moore_at_SECURITY-ASSESSMENT.COM)
Date: 10/24/03

  • Next message: Marty Brewer: "Re: Windows Update Support on Win2K sp2" 
    Date:         Fri, 24 Oct 2003 13:46:33 +1300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    =====================================================================
    = HTML Help API - Privilege Escalation
    =
    = Tested against:
    = HTML Help Control Version 5.2.3735.1
    =
    = brett.moore@security-assessment.com
    = http://www.security-assessment.com
    =
    = Originally posted: October 24th, 2003
    =====================================================================

    == Background ==

    Microsoft Windows allows applications to use a standard method of
    displaying and handling help files. One of these methods is using
    the HTML help API.

    (From MSDN)
    - HTML Help API Overview
    - The HTML Help application programming interface (API) enables a
    - Windows program to create a help window that displays a help topic.
    - The Windows program has complete control over the type, style, and
    - position of the help window.
    -
    - The fundamental feature of the HTML Help API is the help window.
    - Through the API commands, you can create a help window that hosts
    - a Microsoft Internet Explorer DLL (Shdocvw.dll) and displays an
    - HTML file that you specify.
    (End MSDN)

    The HTML help API consists of one function that an application uses
    to pass commands.

            HWND HtmlHelp(
                  HWND hwndCaller,
                  LPCSTR pszFile,
                  UINT uCommand,
                  DWORD dwData) ;

    When an application loads a help file using this function it passes
    the name of the file through the pszFile parameter. It appears that
    this function does not drop any privileges before invoking the help
    viewer.

    If a SYSTEM level application uses this function to display a help file,
    the HTML help viewer will be running with SYSTEM rights.

    Part of the help window consists of an instance of Internet Explorer
    which allows a user to browse the local drive.

    By selecting jump to URL from the window system menu, a user can enter
    a path name (c:\), right-mouse-click on a file and then select open
    with cmd.exe to be given a SYSTEM level command shell window.

    == Example Vulnerable Programs ==

    From our testing, any application running at a higher security level
    that invokes htmlhelp without dropping privileges is vulnerable.
    We tested various Personal Firewall and Antivirus applications and
    found some to be vulnerable to this attack.
    We found no 'default' windows applications vulnerable to this attack,
    but think that it is something that application developers need to be
    aware of.

    == Solutions ==

    The HTML help view (hh.exe) should be called externally passing the
    helpfile name as a parameter.

    Security rights could be dropped through the use of system() or
    CreateProcess() functions. CreateProcessAsUser() or
    ImpersonateLoggedOnUser() could be used to control the rights that
    htmlhelp executes with.

    If an interactive window requires SYSTEM rights, its functionality should
    be limited to those functions requiring the higher level of privilege.

    == Credit ==

    Brett Moore from security-assessment.com

    == About Security-Assessment.com ==

    Security-Assessment.com is a leader in intrusion testing and security
    code review, and leads the world with SA-ISO, online ISO17799 compliance
    management solution. Security-Assessment.com is committed to security
    research and development, and its team have previously identified a
    number of vulnerabilities in public and private software vendors products.

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Marty Brewer: "Re: Windows Update Support on Win2K sp2"