[NT] HTML Help API - Privilege Escalation
From: SecuriTeam (support_at_securiteam.com)
Date: 10/26/03
- Previous message: SecuriTeam: "[TOOL] Snorter - Snort HTML Reporting Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 26 Oct 2003 16:04:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HTML Help API - Privilege Escalation
------------------------------------------------------------------------
SUMMARY
Microsoft Windows allows applications to use a standard method of
displaying and handling help files. One of these methods is using the HTML
help API. "
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconOvhtmlhelpapioverview.asp> The HTML Help application programming interface (API) enables a Windows program to create a help window that displays a help topic. The Windows program has complete control over the type, style, and position of the help window."
A privilege escalation vulnerability exists in the API allowing a local
user to execute code with SYSTEM privileges.
DETAILS
The HTML help API consists of one function that an application uses to
pass commands.
HWND HtmlHelp(
HWND hwndCaller,
LPCSTR pszFile,
UINT uCommand,
DWORD dwData) ;
When an application loads a help file using this function it passes the
name of the file through the pszFile parameter. It appears that this
function does not drop any privileges before invoking the help viewer.
If a SYSTEM level application uses this function to display a help file,
the HTML help viewer will be running with SYSTEM rights.
Part of the help window consists of an instance of Internet Explorer that
allows a user to browse the local drive. By selecting jump to URL from the
window system menu, a user can enter a path name (c:\), right-mouse-click
on a file and then select open with cmd.exe to be given a SYSTEM level
command shell window.
Vulnerable programs:
From Brett Moore's testing, any application running at a higher security
level that invokes HtmlHelp without dropping privileges is vulnerable.
Brett Moore tested various Personal Firewall and Antivirus applications
and found some to be vulnerable to this attack. Brett Moore found no
'default' windows applications vulnerable to this attack, but think that
it is something that application developers need to be aware of.
Solutions:
1) The HTML help view (hh.exe) could be called externally passing the help
file name as a parameter.
2) Security rights could be dropped through the use of system() or
CreateProcess() functions.
3) CreateProcessAsUser() or Impersonate LoggedOnUser() could be used to
control the rights that HtmlHelp executes with.
4) If an interactive window requires SYSTEM rights, its functionality
should be limited to those functions requiring the higher level of
privilege.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:brett.moore@security-assessment.com> Brett Moore
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] Snorter - Snort HTML Reporting Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: window of vulnerability
... that would trigger within a window of vulnerability ... have to be explicit
by using some sort of synchronization. ... my question is more oriented toward a security
issue. ... (comp.lang.java.programmer) - Re: window of vulnerability
... I heard several times people talking about a security issue known as ... that
would trigger within a window of vulnerability ... have to be explicit by using
some sort of synchronization. ... (comp.lang.java.programmer) - [NT] IE Chromeless Window Vulnerabilities (More Examples)
... The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com ... Beyond Security in Canada
... A window without a frame, title bar, toolbars or scroll bars is known as a ...
'chromeless' window. ... (Securiteam) - Re: Javascript disabled in my browser?
... I have already enabled Active Scripting ... > Click "OK" to close the Security
window. ... > JavaScript is now enabled for our web site. ... (microsoft.public.windows.inetexplorer.ie6.browser) - Re: switching
... speciffic anti-trojan programmes out there,such as a2(a ... of a dialer landing
on you?-you decide. ... Keep bang up to date with security patches. ... >>
of these will try to open a window for them to dial ... (microsoft.public.security)
