[NT] HTML Help API - Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 10/26/03

  • Next message: SecuriTeam: "[EXPL] iwconfig Buffer Overflow Vulnerability"
    To: list@securiteam.com
    Date: 26 Oct 2003 16:04:15 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      HTML Help API - Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft Windows allows applications to use a standard method of
    displaying and handling help files. One of these methods is using the HTML
    help API. "
    <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconOvhtmlhelpapioverview.asp> The HTML Help application programming interface (API) enables a Windows program to create a help window that displays a help topic. The Windows program has complete control over the type, style, and position of the help window."

    A privilege escalation vulnerability exists in the API allowing a local
    user to execute code with SYSTEM privileges.

    DETAILS

    The HTML help API consists of one function that an application uses to
    pass commands.

    HWND HtmlHelp(
        HWND hwndCaller,
        LPCSTR pszFile,
        UINT uCommand,
        DWORD dwData) ;

    When an application loads a help file using this function it passes the
    name of the file through the pszFile parameter. It appears that this
    function does not drop any privileges before invoking the help viewer.

    If a SYSTEM level application uses this function to display a help file,
    the HTML help viewer will be running with SYSTEM rights.

    Part of the help window consists of an instance of Internet Explorer that
    allows a user to browse the local drive. By selecting jump to URL from the
    window system menu, a user can enter a path name (c:\), right-mouse-click
    on a file and then select open with cmd.exe to be given a SYSTEM level
    command shell window.

    Vulnerable programs:
    From Brett Moore's testing, any application running at a higher security
    level that invokes HtmlHelp without dropping privileges is vulnerable.
    Brett Moore tested various Personal Firewall and Antivirus applications
    and found some to be vulnerable to this attack. Brett Moore found no
    'default' windows applications vulnerable to this attack, but think that
    it is something that application developers need to be aware of.

    Solutions:
    1) The HTML help view (hh.exe) could be called externally passing the help
    file name as a parameter.

    2) Security rights could be dropped through the use of system() or
    CreateProcess() functions.

    3) CreateProcessAsUser() or Impersonate LoggedOnUser() could be used to
    control the rights that HtmlHelp executes with.

    4) If an interactive window requires SYSTEM rights, its functionality
    should be limited to those functions requiring the higher level of
    privilege.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:brett.moore@security-assessment.com> Brett Moore

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] iwconfig Buffer Overflow Vulnerability"

    Relevant Pages

    • Re: window of vulnerability
      ... that would trigger within a window of vulnerability ... have to be explicit by using some sort of synchronization. ... my question is more oriented toward a security issue. ...
      (comp.lang.java.programmer)
    • Re: window of vulnerability
      ... I heard several times people talking about a security issue known as ... that would trigger within a window of vulnerability ... have to be explicit by using some sort of synchronization. ...
      (comp.lang.java.programmer)
    • [NT] IE Chromeless Window Vulnerabilities (More Examples)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Beyond Security in Canada ... A window without a frame, title bar, toolbars or scroll bars is known as a ... 'chromeless' window. ...
      (Securiteam)
    • Re: Javascript disabled in my browser?
      ... I have already enabled Active Scripting ... > Click "OK" to close the Security window. ... > JavaScript is now enabled for our web site. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: switching
      ... speciffic anti-trojan programmes out there,such as a2(a ... of a dialer landing on you?-you decide. ... Keep bang up to date with security patches. ... >> of these will try to open a window for them to dial ...
      (microsoft.public.security)