[NT] Vulnerability in Help and Support Center Remote Code Execution (MS04-015)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/04

  • Next message: SecuriTeam: "[NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability"
    To: list@securiteam.com
    Date: 12 May 2004 19:03:19 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Help and Support Center Remote Code Execution (MS04-015)
    ------------------------------------------------------------------------

    SUMMARY

    A remote code execution vulnerability exists in the Help and Support
    Center because of the way that it handles HCP URL validation. An attacker
    could exploit the vulnerability by constructing a malicious HCP URL that
    could potentially allow remote code execution if a user visited a
    malicious Web site or viewed a malicious e-mail message. An attacker who
    successfully exploited this vulnerability could take complete control of
    an affected system. However, significant user interaction is required to
    exploit this vulnerability.

    DETAILS

    Vulnerable Systems:
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Service Pack 1
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition

    Immune Systems:
     * Microsoft Windows NT Workstation 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
    Pack 3, Microsoft Windows 2000 Service Pack 4
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (ME)

    Patch Availability:
     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en> Download the update
     * Microsoft Windows XP 64-Bit Edition Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en> Download the update
     * Microsoft Windows XP 64-Bit Edition Version 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en> Download the update
     * Microsoft Windows Server? 2003 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=50AD42D7-81BD-4F96-9AD1-0E67310551DF&displaylang=en> Download the update
     * Microsoft Windows Server 2003 64-Bit Edition -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=E05DE6AB-FB0D-4A0E-B34E-BB69B9D6BA74&displaylang=en> Download the update

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0199>
    CAN-2004-0199

    Mitigating Factors:
     * In a Web-based attack scenario, an attacker would have to host a Web
    site that contains a Web page that is used to exploit this vulnerability.
    An attacker would have no way to force users to visit a malicious Web
    site. Instead, an attacker would have to persuade them to visit the Web
    site, typically by getting them to click a link that takes them to the
    attacker's site. After they click the link, they would be prompted to
    perform several actions. An attack could only occur after they performed
    these actions.

     * By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
    e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
    Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
     <http://www.microsoft.com/office/outlook/evaluation/security.asp> Outlook
    E-mail Security Update has been installed. The Restricted sites zone helps
    reduce attacks that could attempt to exploit this vulnerability.

    The risk of attack from the HTML e-mail vector can be significantly
    reduced if you meet all the following conditions:
     * Apply the update that is included with Microsoft Security Bulletin
    <http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx>
    MS03-040 or a later Cumulative Security Update for Internet Explorer.
     * Use Internet Explorer 6 or later.
     * Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
    Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2 or later
    in its default configuration.

     * An attacker who successfully exploited this vulnerability could gain
    the same privileges as the user. Users whose accounts are configured to
    have fewer privileges on the system would be at less risk than users who
    operate with administrative privileges.
     * Windows NT 4.0 and Windows 2000 are not affected by this vulnerability.

    Workarounds:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

    Unregister the HCP Protocol.
    To help prevent an attack, unregister the HCP Protocol by deleting the
    following key from the registry: HKEY_CLASSES_ROOT\HCP.
    To do so, follow these steps:
    1. Click Start, and then click Run.
    2. Type regedit, and then click OK.
    The registry editor program launches.
    3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
    4.Right-click the HCP key, and then click Delete.
    Note Using Registry Editor incorrectly can cause serious problems that may
    require you to reinstall Windows. Microsoft cannot guarantee that problems
    resulting from the incorrect use of Registry Editor can be solved. Use
    Registry Editor at your own risk.

    Impact of Workaround: Unregistering the HCP protocol will break all local,
    legitimate help links that use hcp://. For example, links in Control Panel
    may no longer work.

    Install
    <http://www.microsoft.com/office/previous/outlook/2002security.asp>
    Outlook E-mail Security Update if you are using Outlook 2000 SP1 or
    earlier.
    By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML
    e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
    Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
    Outlook E-mail Security Update has been installed.

    Customers who use any of these products could be at a reduced risk from an
    e-mail-borne attack that tries to exploit this vulnerability unless the
    user clicks a malicious link in the e-mail message.

    Read e-mail messages in plain text format if you are using Outlook 2002 or
    later, or Outlook Express 6 SP1 or later, to help protect yourself from
    the HTML e-mail attack vector.
    Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
    later and Microsoft Outlook Express 6 users who have applied Internet
    Explorer 6 Service Pack 1 can enable this setting and view e-mail messages
    that are not digitally signed or e-mail messages that are not encrypted in
    plain text only.

    Digitally signed e-mail messages or encrypted e-mail messages are not
    affected by the setting and may be read in their original formats. For
    more information about enabling this setting in Outlook 2002, see
    Microsoft Knowledge Base Article
    <http://support.microsoft.com/default.aspx?kbid=307594> 307594.
    For information about this setting in Outlook Express 6, see Microsoft
    Knowledge Base Article
    <http://support.microsoft.com/default.aspx?kbid=291387> 291387.
    Impact of Workaround: E-mail messages that are viewed in plain text format
    will not contain pictures, specialized fonts, animations, or other rich
    content.

    In addition:
     * The changes are applied to the preview pane and to open messages.
     * Pictures become attachments so that they are not lost.
     * Because the message is still in Rich Text or HTML format in the store,
    the object model (custom code solutions) may behave unexpectedly.

    FAQ:
    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. If a user is logged on with
    administrative privileges, an attacker who successfully exploited this
    vulnerability could take complete control of an affected system, including
    installing programs; viewing, changing, or deleting data; or creating new
    accounts with full privileges. Users whose accounts are configured to have
    fewer privileges on the system would be at less risk than users who
    operate with administrative privileges. However, significant user
    interaction is required to exploit this vulnerability.

    What causes the vulnerability?
    The process that the Help and Support Center uses to validate data input.

    What is the Help and Support Center?
    The Help and Support Center (HSC) is a feature in Windows that provides
    help on a variety of topics. For example, HSC can teach users about
    Windows features, how to download and install software updates, how to
    determine whether a particular hardware device is compatible with Windows,
    and how to receive help from Microsoft. Users and programs can use URL
    links to the Help and Support Center by using the "hcp://" prefix in a URL
    link instead of "http://."

    What is the HCP protocol?
    Similar to the way that the HTTP protocol can use execute URL links to
    open a Web browser, the HCP protocol can execute URL links to open the
    Help and Support Center feature.

    What is wrong with the Help and Support Center?
    An error in input validation occurs.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of an affected system, including installing programs;
    viewing, changing, or deleting data; or creating new accounts that have
    full privileges.

    How could an attacker exploit this vulnerability?
    To exploit this vulnerability, an attacker would have to host a malicious
    Web site and then persuade a user to view that Web site. An attacker could
    also create an HTML e-mail message that has a specially crafted link, and
    then persuade a user to view the HTML e-mail message and then click the
    malicious link, if the user clicked this link, a window could open with an
    HCP URL of the attacker's choice. However, at this point significant
    additional user interaction is required. After clicking the link, the user
    would be prompted to perform several actions. An attack could only occur
    after a user performed these actions.

    What systems are primarily at risk from the vulnerability?
    Windows XP and Windows Server 2003 contain the affected version of the
    Help and Support Center. Other platforms are not affected because they do
    not contain the Help and Support Center or because the nature of the
    vulnerability is different on those platforms.

    I am running Internet Explorer on Windows Server 2003. Does Windows Server
    2003 mitigate this vulnerability?
    No. By default, Internet Explorer on Windows Server 2003 runs in a
    restricted mode that is known as the Internet Explorer Enhanced Security
    Configuration. However, the HCP protocol is permitted to access the Help
    and Support Center by default. Therefore, Windows Server 2003 is
    vulnerable.

    For more information about Internet Explorer Enhanced Security
    Configuration, visit the following
    <http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en> Web site.

    What does the update do?
    This update removes the vulnerability by modifying the validation of data
    that is passed to the Help and Support Center.

    How does this vulnerability relate to the Help and SupportCenter
    vulnerability that is corrected by MS04-011?
    Both vulnerabilities were in the Help and Support Center. However, this
    update corrects a new vulnerability that was not addressed as part of
    MS04-011. MS04-011 fully protects against the vulnerability that is
    discussed in that bulletin, but does not address this new vulnerability.
    This update does not replace MS04-011. You must install this update and
    the update provided as part of the MS04-011 security bulletin to be
    protected from both vulnerabilities.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly disclosed when this security bulletin was
    originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Opera Telnet URI Handler File Creation/Truncation Vulnerability"

    Relevant Pages