[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)

• Previous message: SecuriTeam: "[NT] Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 May 2004 19:03:19 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in Help and Support Center Remote Code Execution (MS04-015)
------------------------------------------------------------------------

SUMMARY

A remote code execution vulnerability exists in the Help and Support
Center because of the way that it handles HCP URL validation. An attacker
could exploit the vulnerability by constructing a malicious HCP URL that
could potentially allow remote code execution if a user visited a
malicious Web site or viewed a malicious e-mail message. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system. However, significant user interaction is required to
exploit this vulnerability.

DETAILS

Vulnerable Systems:
 * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Service Pack 1
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows Server 2003
 * Microsoft Windows Server 2003 64-Bit Edition

Immune Systems:
 * Microsoft Windows NT Workstation 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0 Service Pack 6a
 * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
 * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
Pack 3, Microsoft Windows 2000 Service Pack 4
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Patch Availability:
 * Microsoft Windows XP and Microsoft Windows XP Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en> Download the update
 * Microsoft Windows XP 64-Bit Edition Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en> Download the update
 * Microsoft Windows XP 64-Bit Edition Version 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en> Download the update
 * Microsoft Windows Server? 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=50AD42D7-81BD-4F96-9AD1-0E67310551DF&displaylang=en> Download the update
 * Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E05DE6AB-FB0D-4A0E-B34E-BB69B9D6BA74&displaylang=en> Download the update

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0199>
CAN-2004-0199

Mitigating Factors:
 * In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions.

 * By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
 <http://www.microsoft.com/office/outlook/evaluation/security.asp> Outlook
E-mail Security Update has been installed. The Restricted sites zone helps
reduce attacks that could attempt to exploit this vulnerability.

The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all the following conditions:
 * Apply the update that is included with Microsoft Security Bulletin
<http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx>
MS03-040 or a later Cumulative Security Update for Internet Explorer.
 * Use Internet Explorer 6 or later.
 * Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later
in its default configuration.

 * An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system would be at less risk than users who
operate with administrative privileges.
 * Windows NT 4.0 and Windows 2000 are not affected by this vulnerability.

Workarounds:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.

Unregister the HCP Protocol.
To help prevent an attack, unregister the HCP Protocol by deleting the
following key from the registry: HKEY_CLASSES_ROOT\HCP.
To do so, follow these steps:
1. Click Start, and then click Run.
2. Type regedit, and then click OK.
The registry editor program launches.
3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
4.Right-click the HCP key, and then click Delete.
Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall Windows. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk.

Impact of Workaround: Unregistering the HCP protocol will break all local,
legitimate help links that use hcp://. For example, links in Control Panel
may no longer work.

Install
<http://www.microsoft.com/office/previous/outlook/2002security.asp>
Outlook E-mail Security Update if you are using Outlook 2000 SP1 or
earlier.
By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
Outlook E-mail Security Update has been installed.

Customers who use any of these products could be at a reduced risk from an
e-mail-borne attack that tries to exploit this vulnerability unless the
user clicks a malicious link in the e-mail message.

Read e-mail messages in plain text format if you are using Outlook 2002 or
later, or Outlook Express 6 SP1 or later, to help protect yourself from
the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
later and Microsoft Outlook Express 6 users who have applied Internet
Explorer 6 Service Pack 1 can enable this setting and view e-mail messages
that are not digitally signed or e-mail messages that are not encrypted in
plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not
affected by the setting and may be read in their original formats. For
more information about enabling this setting in Outlook 2002, see
Microsoft Knowledge Base Article
<http://support.microsoft.com/default.aspx?kbid=307594> 307594.
For information about this setting in Outlook Express 6, see Microsoft
Knowledge Base Article
<http://support.microsoft.com/default.aspx?kbid=291387> 291387.
Impact of Workaround: E-mail messages that are viewed in plain text format
will not contain pictures, specialized fonts, animations, or other rich
content.

In addition:
 * The changes are applied to the preview pane and to open messages.
 * Pictures become attachments so that they are not lost.
 * Because the message is still in Rich Text or HTML format in the store,
the object model (custom code solutions) may behave unexpectedly.

FAQ:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating new
accounts with full privileges. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges. However, significant user
interaction is required to exploit this vulnerability.

What causes the vulnerability?
The process that the Help and Support Center uses to validate data input.

What is the Help and Support Center?
The Help and Support Center (HSC) is a feature in Windows that provides
help on a variety of topics. For example, HSC can teach users about
Windows features, how to download and install software updates, how to
determine whether a particular hardware device is compatible with Windows,
and how to receive help from Microsoft. Users and programs can use URL
links to the Help and Support Center by using the "hcp://" prefix in a URL
link instead of "http://."

What is the HCP protocol?
Similar to the way that the HTTP protocol can use execute URL links to
open a Web browser, the HCP protocol can execute URL links to open the
Help and Support Center feature.

What is wrong with the Help and Support Center?
An error in input validation occurs.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of an affected system, including installing programs;
viewing, changing, or deleting data; or creating new accounts that have
full privileges.

How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would have to host a malicious
Web site and then persuade a user to view that Web site. An attacker could
also create an HTML e-mail message that has a specially crafted link, and
then persuade a user to view the HTML e-mail message and then click the
malicious link, if the user clicked this link, a window could open with an
HCP URL of the attacker's choice. However, at this point significant
additional user interaction is required. After clicking the link, the user
would be prompted to perform several actions. An attack could only occur
after a user performed these actions.

What systems are primarily at risk from the vulnerability?
Windows XP and Windows Server 2003 contain the affected version of the
Help and Support Center. Other platforms are not affected because they do
not contain the Help and Support Center or because the nature of the
vulnerability is different on those platforms.

I am running Internet Explorer on Windows Server 2003. Does Windows Server
2003 mitigate this vulnerability?
No. By default, Internet Explorer on Windows Server 2003 runs in a
restricted mode that is known as the Internet Explorer Enhanced Security
Configuration. However, the HCP protocol is permitted to access the Help
and Support Center by default. Therefore, Windows Server 2003 is
vulnerable.

For more information about Internet Explorer Enhanced Security
Configuration, visit the following
<http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en> Web site.

What does the update do?
This update removes the vulnerability by modifying the validation of data
that is passed to the Help and Support Center.

How does this vulnerability relate to the Help and SupportCenter
vulnerability that is corrected by MS04-011?
Both vulnerabilities were in the Help and Support Center. However, this
update corrects a new vulnerability that was not addressed as part of
MS04-011. MS04-011 fully protects against the vulnerability that is
discussed in that bulletin, but does not address this new vulnerability.
This update does not replace MS04-011. You must install this update and
the update provided as part of the MS04-011 security bulletin to be
protected from both vulnerabilities.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly disclosed when this security bulletin was
originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx>
http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Windows Help Center Command Execution (Technical Details, HSC, Dvdupgrade)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]