[NT] Flaw in Windows XP Help and Support Center Could Enable File Deletion

From: support@securiteam.com
Date: 10/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 17 Oct 2002 03:02:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Flaw in Windows XP Help and Support Center Could Enable File Deletion
------------------------------------------------------------------------

SUMMARY

Help and Support Center provides a centralized facility through which
users can obtain assistance on a variety of topics. For instance, it
provides product documentation, assistance in determining hardware
compatibility, access to Windows Update, online help from Microsoft, and
other assistance.

A security vulnerability is present in the Windows XP version of Help and
Support Center, and results because a file intended only for use by the
system is instead available for use by any web page. The purpose of the
file is to enable anonymous upload of hardware information, with the
user's permission, so that Microsoft can evaluate which devices users are
not currently finding device drivers for. This information is then used to
work with hardware vendors and device teams to improve the quality and
quantity of drivers available in Windows. By design, after attempting to
upload an XML file containing the hardware information, the system deletes
it.

An attacker could exploit the vulnerability by constructing a web page
that, when opened, would call the errant function and supply the name of
an existing file or folder as the argument. The attempt to upload the file
or folder would fail, but the file nevertheless would be deleted. The page
could be hosted on a web site in order to attack users visiting the site,
or could be sent as an HTML mail in order to attack the recipient when it
was opened.

DETAILS

Affected Software:
 * Microsoft Windows XP

Mitigating factors:
 * Customers who have applied Windows XP Service Pack 1 are at no risk
from the vulnerability.

 * The vulnerability could not be exploited without some degree of user
interaction. Even in the most attacker-favorable case, the Help and
Support Center window would appear unexpectedly and the file deletion
could not occur until the user responded. (Even selecting Cancel, though,
would enable the deletion to occur). If the user killed the process rather
than responding, the deletion could not occur.

 * For an attack to be successful, the user would need to visit a website
under the attacker's control or receive an HTML e-mail from the attacker.

 * The vulnerability would not enable an attacker to take any action other
than deleting files. It would not grant any form of administrative control
over the system, nor would it enable the attacker to read or modify files.

 * The Help and Support Center function could not be started automatically
in Outlook Express or Outlook if the user is running Internet Explorer 6.0
Service Pack 1, or in Outlook 2002 if "Read as Plain Text" is enabled.

 * In order to delete a file, the attacker would need to know its exact
file and path name. To delete a folder, the attacker would need to know
its exact path.

 * If the attacker used the vulnerability to disrupt system operation,
Automatic System Recovery would provide a means of restoring normal
operation. In addition, Windows XP will automatically restore many system
files if deleted.

Patch availability:
Download locations for this patch
 * Microsoft Windows XP:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43681>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43681
 * Microsoft Windows XP 64-bit Edition:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43676>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43676

The fix for this vulnerability was originally included in Windows XP
Service Pack 1. Why has Microsoft released the fix as a patch?
The fix for this issue was included in Windows XP Service Pack 1, and
under normal conditions we would not also release it as a patch. Service
packs are, in almost every case, a better delivery vehicle for security
fixes than patches are. Indeed, the sole purpose of a patch is to provide
customers with a means of securing their systems against a particular
vulnerability until the next service pack is released.

As we discussed in a posting on the Microsoft TechNet Security web site,
we initially planned to deliver the fix for this issue only via Service
Pack 1, but subsequently made the decision to also make it available as a
patch. Although there were sound reasons for the original decision, we
reconsidered based on feedback from our customers, who in some cases
advised that they had not yet found sufficient time to deploy Service Pack
1

What's the scope of this vulnerability?
This vulnerability could enable an attacker to delete files on another
user's computer, via either a web site or an email. Such an attack would
likely be carried out for either of two purposes: to delete high-value
files that the user had created, or to delete system files in an attempt
to disrupt system operation.

The vulnerability affects only Windows XP and is limited only to deleting
files - it could not be used to add files, modify the content of files,
run programs, or take any other actions. The attacker would not be able to
start the Help and Support Center function automatically via a mail-based
attack vector in Outlook Express or Outlook if the user is running
Internet Explorer 6.0 Service Pack 1, or in Outlook 2002 if the user has
"Read as Plain Text" enabled.

What causes the vulnerability?
The vulnerability results because the Windows XP implementation of Help
and Support Center includes a script file that, by design, should be
accessible only to trusted programs but which in reality is accessible
globally. When called, the script attempts to upload a designated file,
and then deletes it at the conclusion of the operation.

What's Help and Support Center?
Help and Support Center (HSC) is a feature in Windows that provides help
on a variety of topics. For instance, HSC enables users to learn about new
Windows features, download and install software updates, determine whether
a particular hardware device is compatible with Windows, get assistance
from Microsoft, and so forth.

What's wrong with HSC?
HSC consists of a number of files, some which are intended to usable by
all web pages, while others are intended only for use by HSC itself. One
of the files that should only be available to HSC actually can be used by
web pages as well. A security vulnerability results because the
functionality exposed by that file is inappropriate for use by untrusted
web pages.

What does the file at issue here do?
The file is used when a customer is working with the Found New Hardware
wizard and unsuccessfully attempts to find a driver on local media or the
Windows Update site. When this occurs, the user is presented with an
option to get more help, as part of which process the user can anonymously
upload an XML file containing information about the system hardware to
Microsoft. The file at issue here performs the upload operation, and then
deletes the XML file.

Why does exposing this function to untrusted web pages result in a
security vulnerability?
The name of the file to upload (and then delete) can be specified as an
argument when calling the function. Because any web page can call the
function, this provides a way for such a page to delete any file or folder
on the user's system.

What might an attacker use the vulnerability to do?
It's likely that an attacker would exploit this vulnerability for either
of two purposes. Firstly, he or she might use it to delete documents,
spreadsheets or other important files. However, the attacker would need to
know the name of the file, or at least the name of the folder in which it
resided.

Alternatively, the attacker might target system files in an attempt to
prevent the user from being able to use the system. However, it's worth
noting that Windows XP will automatically restore certain system files if
they're destroyed, and even in cases' where this is not the case,
Automated System Recovery would provide a way of restoring normal
functioning.

How might an attacker exploit this vulnerability?
The attacker would need to construct a web page that calls the function
and provides the name of the file or folder to delete. The attack could
then proceed via either of two vectors. In the first, the attacker could
host the web page on a web site; when a user visited the site, the web
page would attempt to invoke the function and exploit the vulnerability.
In the second, the attacker could send the web page as an HTML mail. Upon
being opened by the recipient, the web page could attempt to invoke the
function and exploit the vulnerability.

You said the web page could "attempt" to invoke the function. What would
determine whether this attempt was successful?
For the web site-based attack vector, in order for an attack to be
successful, the attacker would have to lure the user to a web site under
the control of the attacker. If the user's browser is Internet Explorer
6.0 Service Pack 1, then the function might be started only if the user
clicks on a link, otherwise it might be possible for the function to be
started automatically.

For the mail-based attack vector, the attacker might send an HTML e-mail.
If the user is running Internet Explorer 6.0 Service Pack 1 then the
function would not be able to be started automatically from Outlook
Express or Outlook. The function also would not be able to be started
automatically if the user is running Outlook 2002 with "Read as Plain
Text" enabled.

If the attacker were able to make HSC run, would that cause the
vulnerability to be exploited?
Even in the case where the attacker successfully made HSC run, it still
wouldn't allow the attack to proceed automatically. Instead, the HSC
window shown below would appear, and the file deletion would not happen
unless the user clicked one of the buttons in the window.

If your browser does not support inline frames,
<http://www.microsoft.com/TechNet/security/bulletin/images/hcp.jpg> click
here to view on a separate page.

It's worth noting that even selecting Cancel would allow the deletion to
proceed. Nevertheless, the fact that an unexpected (and unsolicited)
window had appeared would be a tip-off that an attack was underway, and
the user could safely clear the dialog by using the following steps to
kill the HelpCtr.exe process:

 * Press Ctrl-Alt-Del and then click on "Task Manager"
 * Click on the Processes tab
 * Highlight HelpCtr.exe
 * Right mouse-click and select "End Process"
 * Answer "Yes" to the Task Manager Warning

You said that the function containing the vulnerability is used to upload
information. Does this mean that the attacker could read files from my
system?
No. The function only allows information to be uploaded to Microsoft.
There is no means by which the attacker could misuse the function to
upload files to himself or herself.

I'm running a version of Windows other than Windows XP. Am I at any risk?
No. The vulnerability only exists in the Windows XP version of Help and
Support Center.

What does the patch do?
The patch addresses the vulnerability by preventing any but trusted system
components from calling the function. In addition, during the
investigation of this issue Microsoft identified other needed changes, all
of which are also implemented in the patch.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_38959_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages