[VulnWatch] MS-Windows ME IE/Outlook/HelpCenter critical vulnerability

From: Fozzy [Hackademy Audit] (fozzy@dmpfrance.com)
Date: 02/27/03

  • Next message: Frog Man: "[VulnWatch] Invision Power Board (PHP)"
    Date: Thu, 27 Feb 2003 06:06:08 +0100
    From: Fozzy [Hackademy Audit] <fozzy@dmpfrance.com>
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org

    --[ Summary ]--

    From the Microsoft Security Bulletin MS03-006:
    " A security vulnerability is present in the Windows Me version of Help
    and Support Center [...]. An attacker could exploit the vulnerability by
    constructing a URL that, when clicked on by the user, would execute code
    of the attacker's choice in the Local Computer security context. The URL
    could be hosted on a web page, or sent directly to the user in email. "
    This issue can also be triggered automatically in some cases, without the
    need for the victim to click on a link. It leads to total remote compromise of
    the victim's computer.
    Microsoft rates this issue as "Critical".

    --[ Affected Systems ]--

    - Windows ME (any version)
    - Windows XP without SP1

    Not vulnerable :
    - Windows XP with SP1

    Status of Windows 2000 was not tested but is believed to be the same as
    Windows XP.

    --[ Details]--

    When an URL beginning with hcp:// is opened in Internet Explorer or
    Outlook, the Help Center is launched. The URL is supplied to this
    application without any additional check. The Help center will handle
    the URL by opening the specified HTML help page (which is on the local
    computer). Arguments, like the help topic name, can be given in the URL
    and will be handled by javascript codes in the HTML page.

    What happens if the victim follows this kind of link ?
    script here can read, delete and execute any file')
    The malicious topic we supplied will be used internally by scripts on
    the page, will be inserted into the page, etc. So, the malicious script
    will finally be executed in the Local Computer zone.

    Exploitation has been confirmed on Windows ME and Windows XP without
    SP1. When the malicious URL is opened into IE or Outlook, the Help
    Center fires and execute the script crafted into the URL. Privileged
    scripts actions and ActiveX controls can be run without any warning.
    That allows an attacker to take total control over the victim's

    We believe the Microsoft Security Bulletin issued about this issue is a
    bit misleading. The problem was flagged as an "unchecked buffer in the
    hcp:// URL handler leading to a buffer overrun vulnerability". We asked
    Microsoft if they fixed a different problem than the one we reported,
    but they told us it was the same.
    We see it as a cross-site scripting vulnerability allowing an attacker
    to execute arbitrary scripts in the relaxed security context of the Help
    Center. This is much easier to exploit than a classical buffer overrun.
    An attacker does not need to craft assembler code into the URL to
    exploit this bug, he only needs to know a bit about client side
    scripting languages and work around a weird triple-URL-decoding.

    --[ Disclosure Timeline ]--

    - "Warning" from The Hackademy Audit team found this vulnerability at the
    end of November, 2002.
    - Microsoft was notified early December.
    - Readers of "The Hackademy Journal" were warned early December of
    critical security issues in Windows ME and KDE (www.kde.org)
    - KDE fixed its vulnerabilities early January.
    - Microsoft fixed the Windows ME issue at the end of February (26/02)

    --[ Solution ]--

    Apply the patch provided by Microsoft in Security Bulletin MS03-006 :

    -- Fozzy

    The Hackademy School, Journal & Audit - Paris