[NT] Microsoft MSHTA Script Execution Vulnerability

• Previous message: SecuriTeam: "[NT] Buffer Overflow Vulnerability in Microsoft Windows (CONSOLE_STATE_INFO, MS05-018)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Apr 2005 13:41:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Microsoft MSHTA Script Execution Vulnerability
------------------------------------------------------------------------

SUMMARY

Microsoft HTML Application Host is "a standard process of the Windows
operating system. It performs some useful functions and manages the
performance of some of the third-party software. Usually it starts and
terminates automatically. Microsoft HTML Application Host (MSHTA) is part
of the Microsoft Windows operating system and is needed to execute .HTA
files".

Remote exploitation of a design error vulnerability in Microsoft Windows
operating system allows attackers to execute arbitrary script code from a
non-executable object.

DETAILS

Vulnerable Systems:
 * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4.
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2.
 * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium).
 * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium).
 * Microsoft Windows Server 2003.
 * Microsoft Windows Server 2003 for Itanium-based Systems.
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME).

Immune Systems:
 * Microsoft Windows Server 2003 Service Pack 1.
 * Microsoft Windows Server 2003 with SP1 for Itanium-based Systems.
 * Microsoft Windows Server 2003 x64 Edition.
 * Microsoft Windows XP Professional x64 Edition.

Various files, such as a Microsoft Word documents will be opened by the
appropriate program even if they are renamed with an unknown extension.
The reason for this is that the CLSID of the Microsoft Word program is
stored within the OLE2 document. The CLSID of a given file can be
manipulated to specify that another program should handle the opening of
the file. The CLSID is located after the Unicode string "Root Entry" as
seen in the following excerpt:

b800h: 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 R.o.o.t. .E.n.t.
b810h: 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 r.y.............
b820h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b830h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b840h: 16 00 05 01 FF FF FF FF FF FF FF FF 03 00 00 00 .... ....
b850h: 06 09 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 ........ ......F

In the above example, the CLSID {00020906-0000-0000-C000-000000000046},
can be found at the hex offset 0xb850 from above. An attacker can execute
arbitrary script code from a seemingly non-executable object by appending
script code to the end of a file and modifying the CLSID to be that of the
Microsoft HTML Application Host (MSHTA). The MSHTA CLSID can be found in
the Windows Registry. This attack works because MSHTA.EXE will completely
scan the file passed in as an argument in search of script code. If found,
the code will be executed. While the given example is built on
modifications to a Microsoft Word document, it is important to note that
this vulnerability is not Word specific or dependant and in fact can not
manifest in Word documents containing a handled file extension.

Workaround:
Removing the associated CLSID for MSHTA from system registry prevents
exploitation of the described vulnerability:
HKEY_CLASSES_ROOT\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}

This key should be backed-up before removal. Please note that removing
this key may cause other problems. Preliminary testing shows that the key
is not necessary for regular system usage.

Vendor Status:
This vulnerability is addressed in Microsoft Security Bulletin MS05-016
available at:
 <http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0063>
CAN-2005-0063

Disclosure Timeline:
 * 11.02.04 - Initial vendor notification
 * 11.02.04 - Initial vendor response
 * 04.12.05 - Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=231&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=231&type=vulnerabilities

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Buffer Overflow Vulnerability in Microsoft Windows (CONSOLE_STATE_INFO, MS05-018)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]