[NT] Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (MS03-042)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/16/03

  • Next message: SecuriTeam: "[EXPL] mah-jong Remote DoS (NULL)" 
    To: list@securiteam.com
Date: 16 Oct 2003 14:35:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code
    Execution (MS03-042)
    ------------------------------------------------------------------------

    SUMMARY

    A security vulnerability exists in the Microsoft Local Troubleshooter
    ActiveX control. The vulnerability exists because the ActiveX control
    (Tshoot.ocx) contains a buffer overflow that could allow an attacker to
    run code of their choice on a userâs system. Because this control is
    marked "safe for scripting", an attacker could exploit this vulnerability
    by convincing a user to view a specially crafted HTML page that references
    this ActiveX control. The Microsoft Local Troubleshooter ActiveX control
    is installed as a default part of the operating system on Windows 2000.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows 2000, Service Pack 2
     * Microsoft Windows 2000, Service Pack 3, Service Pack 4

    Immune Systems:
     * Microsoft Windows NT 4.0
     * Microsoft Windows NT Server 4.0, Terminal Server Edition
     * Microsoft Windows Millennium Edition
     * Microsoft Windows XP
     * Microsoft Windows Server 2003

    The software listed above has been tested to determine if the versions are
    affected. Other versions are no longer
    <http://support.microsoft.com/directory/discontinue.asp> supported, and
    may or may not be affected.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661>
    CAN-2003-0661

    Patch Availability:
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=48D16574-9B17-463B-A5D2-D75BA5128EF9&displaylang=en> Microsoft Windows 2000, Service Pack 2
     *
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=FC1FD84B-B3A4-43F5-804B-A2608EC56163&displaylang=en> Microsoft Windows 2000, Service Pack 3, Service Pack 4

    To exploit this vulnerability, the attacker would have to create a
    specially formed HTML-based e-mail and send it to the user. Alternatively
    an attacker would have to host a malicious Web site that contained a Web
    page designed to exploit this vulnerability.

    In the worst case, this vulnerability could allow an attacker to load
    malicious code onto a user's system and then to execute the code. The code
    would run in the context of the user. Therefore, the code is limited to
    any action that the legitimate user could take on the system. Any
    limitations on the user's account would also limit the actions of any
    arbitrary code that the attacker could execute.

    The risk of attack from the HTML email vector can be significantly reduced
    if the following conditions are met:

     * You have applied the patch included with Microsoft Security bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS03-040.asp> MS03-040
     * You are using Internet Explorer 6 or later
     * You are using the Microsoft Outlook Email Security Update or Microsoft
    Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in
    their default configuration.

    Mitigating factors:
     * A Web-based attack would only be successful if the attacker creates a
    Web site that contains a Web page that they use to exploit this
    vulnerability. An attacker would have no way to force users to visit the
    malicious Web site. Instead, the attacker would have to lure them there,
    typically by getting them to click a link in an email message that would
    takes them to the attacker's site.

     * By default, Outlook Express 6.0 and Outlook 2002 open HTML mail in the
    Restricted Sites Zone. In addition, Outlook 98 and 2000 open HTML mail in
    the Restricted Sites Zone if the
    <http://www.microsoft.com/office/outlook/evaluation/security.asp> Outlook
    Email Security Update has been installed. Customers who use any of these
    products would be at a reduced risk from an e-mail borne attack that
    attempted to exploit this vulnerability unless the user clicked a
    malicious link in the email.

     * An attackerâs code could only run with the same permissions as the
    logged on user. The specific privileges the attacker could gain through
    this vulnerability would therefore depend on the privileges granted to the
    user. Any limitations on the user's account would also limit the actions
    of any arbitrary code executed by this vulnerability.

    Workarounds:
    Microsoft has tested the following workarounds. These workarounds will not
    correct the underlying vulnerability however they help block known attack
    vectors. Workarounds may cause a reduction in functionality in some cases
    - in such situations this is identified below.

     * Prompt before running of ActiveX controls in the Internet and Intranet
    zones: You can help protect against this vulnerability by changing your
    settings for the Internet security zone to prompt before running ActiveX
    components. To do this, perform the following steps:
    1. In Internet Explorer, select Tools, Internet Options
    2. Click on the Security tab
    3. Highlight the Internet icon and click on the Custom Level button
    4. Scroll through the list to the Active X controls and plug-ins section
    5. Under Run ActiveX controls and plug-ins click Prompt
    6. Click OK
    7. Highlight the Local Intranet icon and click on the Custom Level button
    8. Scroll through the list to the Active X controls and plug-ins section
    9. Under Run ActiveX controls and plug-ins click Prompt
    10. Click OK; then click OK again to return to Internet Explorer

    Impact of Workaround:
    Many Web sites on the Internet use ActiveX to provide additional
    functionality. For instance, an online e-commerce site or banking site
    might use ActiveX controls to provide menus, ordering forms, or even
    account statements. Prompting before running ActiveX controls is a global
    setting for all Internet and Intranet sites. You will be prompted
    frequently when you enable this work-around. For each prompt, if you feel
    you trust the site that you are visiting, click Yes to run ActiveX
    components. If you do not want to be prompted for all of these sites, you
    can instead use the "Restrict Web sites to only your trusted Web sites"
    workaround.

     * Restrict Web sites to only your trusted Web sites. After requiring a
    prompt before running ActiveX in the Internet and Intranet zone, you can
    add sites that you trust into Internet Explorerâs Trusted sites. This will
    allow you to continue using trusted Web sites exactly as you do today,
    while protecting you from this attack on untrusted sites. Microsoft
    recommends that you only add sites that you trust to the trusted sites
    zone.
    To do this, perform the following steps:
    1. In Internet Explorer, select Tools, then Internet Options. Click the
    Security tab.
    2. In the box labeled Select a Web content zone to specify its current
    security settings, click Trusted Sites, then click Sites.
    3. If you want to add sites that do not require an encrypted channel,
    click to clear the Require server verification (https:) for all sites in
    this zone check box.
    4. In the box labeled Add this Web Site to the zone, type the URL of a
    site that you trust, then click the Add button.
    Repeat for each site that you want to add to the zone.
    5. Click OK twice to accept the changes and return to Internet Explorer.
    Add any sites that you trust not to take malicious action on your
    computer. One in particular that you may want to add is
    "*.windowsupdate.microsoft.com" (without the quotes). This is the site
    that will host the patch, and it requires the use of an ActiveX control to
    install the patch.

    Impact of Workaround:
    For those sites you have not configured to be in your Trusted sites zone,
    their functionality will be impaired if they require ActiveX controls to
    function properly. Adding sites to your Trusted sites zone will allow them
    to be able to download the ActiveX control required to function correctly.
    However you should only add Web sites you trust to the Trusted sites zone.
     * Install Outlook Email Security Update if you are using Outlook 2000 SP1
    or Earlier.

    The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML
    mail in the Restricted Sites Zone by default. Outlook Express 6.0 and
    Outlook 2002 by default open HTML mail in the Restricted Sites Zone.
    Customers who use any of these products would be at a reduced risk from an
    e-mail borne attack that attempts to exploit this vulnerability unless the
    user clicks a malicious link in the email

     * If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to
    help protect yourself from the HTML email attack vector, read email in
    plain text format.
    Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied
    Service Pack 1 and or higher can enable a feature to view all
    non-digitally-signed e-mail or non-encrypted e-mail messages in plain text
    only.

    Digitally signed e-mail or encrypted e-mail messages are not affected by
    the setting and may be read in their original formats. Information on
    enabling this setting in Outlook 2002 can be found in the following
    Knowledge Base article:
     <http://support.microsoft.com/default.aspx?scid=kb;en-us;307594>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
    Information on enabling this setting in Outlook Express 6.0 can be found
    in the following Knowledge Base article:
     <http://support.microsoft.com/?kbid=291387>
    http://support.microsoft.com/?kbid=291387

    Impact of Workaround:
    E-mail viewed in plain text format cannot contain pictures, specialized
    fonts, animations, or other rich content. In addition:
     * The changes are applied to the preview pane and open messages.
     * Pictures become attachments to avoid loss.
     * Since the message is still in Rich Text or HTML format in the store,
    the object model (custom code solutions) may behave unexpectedly because
    the message is still in Rich Text or HTML format in the mail store.

    Frequently Asked Questions
    What is the scope of the vulnerability?
    This is a buffer overrun vulnerability. An attacker who successfully
    exploited the vulnerability could, in the worst case, run code of their
    choice on a userâs system. This would enable an attacker to take any
    action the legitimate user could take. This could include creating,
    modifying or deleting data, This could also include reconfiguring the
    system, or reformatting the hard disk.

    What causes the vulnerability?
    The vulnerability results because the Microsoft Local Troubleshooter
    ActiveX control (Tshoot.ocx) does not correctly validate parameters under
    certain circumstances. By luring a user into viewing a specially-crafted
    Web page, or by sending them a specially-crafted email, an attacker could
    cause the ActiveX control to fail in such a way that could allow an
    attacker to run arbitrary code.

    What's ActiveX?
    ActiveX® is a technology that enables developers to write small programs
    that are named controls. Web pages, Visual Basic® programs, and other
    applications can use controls. An ActiveX control performs a small number
    of related tasks and can be used as building blocks in much more complex
    programs.
    Developers can build custom ActiveX controls. If developers build custom
    ActiveX controls, the controls must be distributed to each user. However,
    Microsoft and many third-party software vendors include ActiveX controls
    with their products, to enable these products to be easily extended. The
    vulnerability in this case involves an ActiveX control that installs by
    default as part of the operating system.

    Which ActiveX controls contain the vulnerability?
    The Microsoft Windows Help system is a default component of Windows. This
    Help system features documentation and interactive troubleshooting wizards
    that help users diagnose common problems. In Windows 2000, the Microsoft
    Windows Troubleshooting and Help System uses an ActiveX control that is
    named the Microsoft Local Troubleshooter (Tshoot.ocx). The Microsoft
    Windows Troubleshooting and Help System uses an ActiveX control that is
    named the Microsoft Local Troubleshooter (Tshoot.ocx). Microsoft Local
    Troubleshooter interacts with the local computer to help diagnose
    problems. This ActiveX control was designed to be used only by the Windows
    Troubleshooting and Help System.

    What is wrong with the affected ActiveX controls?
    The affected ActiveX control contain a buffer overrun. Because the control
    is marked "safe for scriptingâ" after installation, Internet Explorer,
    even in the Internet security zone, can load the control without any user
    interaction. By luring a user to view a specially-crafted Web page, an
    attacker could cause the control to fail in such a way that would allow
    arbitrary code to be run.

    What are Internet Explorer security zones?
    Internet Explorer security zones are a system that divides online content
    into categories or zones based on its trustworthiness. Specific Web
    domains can be assigned to a zone, depending on how much trust is placed
    in the content of each domain. The zone then restricts the capabilities of
    the Web content, based on the zone's settings.
    By default, most Internet domains are treated as part of the Internet
    security zone, which has settings that prevent scripts and other active
    code from accessing resources on the local system. Conversely, the My
    Computer zone is a much less restricted zone which allows content to
    access and to make changes to content that is on the local system. By
    default, files that are stored on the local computer are run in the My
    Computer zone.

    What could this vulnerability enable an attacker to do?
    An attacker who successfully exploited this vulnerability could, in the
    worst case, run code of their choice on a userâs system. This would enable
    an attacker to take any action the legitimate user could take. This could
    include creating, modifying or deleting data. This could also include
    reconfiguring the system, or reformatting the hard disk.

    How could an attacker exploit the vulnerability?
    To exploit this vulnerability, the attacker would have to create a
    specially formed HTML-based e-mail and send it to the user. Alternatively
    an attacker would have to host a malicious Web site that contained a Web
    page designed to exploit this vulnerability.

    Is there anything that helps mitigate the risk of an HTML email attack?
    The risk of attack from the HTML email vector can be significantly reduced
    if the following conditions are met:

     * You have applied the patch included with Microsoft Security bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS03-040.asp> MS03-040
     * You are using Internet Explorer 6 or later
     * You are using the Microsoft Outlook Email Security Update or Microsoft
    Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in
    their default configuration.

    What does the patch do?
    The patch helps remove the vulnerability by making sure that the ActiveX
    control validates all parameters correctly.

    Microsoft thanks the following for working with us to protect customers:
     * Greg Jones of <http://www.kpmg.co.uk> KPMG UK and
    <mailto:cesarc56@yahoo.com> Cesar Cerrudo for reporting the issue
    described in MS03-042.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS03-042.asp>
    http://www.microsoft.com/technet/security/bulletin/MS03-042.asp

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] mah-jong Remote DoS (NULL)"

    Relevant Pages