[NT] HTML Help API - Privilege Escalation
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 26 Oct 2003 16:04:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
HTML Help API - Privilege Escalation
Microsoft Windows allows applications to use a standard method of
displaying and handling help files. One of these methods is using the HTML
help API. "
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconOvhtmlhelpapioverview.asp> The HTML Help application programming interface (API) enables a Windows program to create a help window that displays a help topic. The Windows program has complete control over the type, style, and position of the help window."
A privilege escalation vulnerability exists in the API allowing a local
user to execute code with SYSTEM privileges.
The HTML help API consists of one function that an application uses to
DWORD dwData) ;
When an application loads a help file using this function it passes the
name of the file through the pszFile parameter. It appears that this
function does not drop any privileges before invoking the help viewer.
If a SYSTEM level application uses this function to display a help file,
the HTML help viewer will be running with SYSTEM rights.
Part of the help window consists of an instance of Internet Explorer that
allows a user to browse the local drive. By selecting jump to URL from the
window system menu, a user can enter a path name (c:\), right-mouse-click
on a file and then select open with cmd.exe to be given a SYSTEM level
command shell window.
From Brett Moore's testing, any application running at a higher security
level that invokes HtmlHelp without dropping privileges is vulnerable.
Brett Moore tested various Personal Firewall and Antivirus applications
and found some to be vulnerable to this attack. Brett Moore found no
'default' windows applications vulnerable to this attack, but think that
it is something that application developers need to be aware of.
1) The HTML help view (hh.exe) could be called externally passing the help
file name as a parameter.
2) Security rights could be dropped through the use of system() or
3) CreateProcessAsUser() or Impersonate LoggedOnUser() could be used to
control the rights that HtmlHelp executes with.
4) If an interactive window requires SYSTEM rights, its functionality
should be limited to those functions requiring the higher level of
The information has been provided by
<mailto:email@example.com> Brett Moore
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.