lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040413182428.GA28596@jouko.iki.fi>
Date: Tue, 13 Apr 2004 21:24:29 +0300
From: Jouko Pynnonen <jouko@....fi>
To: bugtraq@...urityfocus.com
Subject: Microsoft Help and Support Center argument injection vulnerability




OVERVIEW
========

"Help and Support Center (HSC) is a feature in Windows that provides 
help on a variety of topics" (from www.microsoft.com). It can be 
accessed via HCP: URLs. HSC is installed by default on Windows XP and 
Windows Server 2003 systems.

An argument injection vulnerability in HSC allows an attacker to run 
arbitrary code when the victim opens a specially formatted HCP: URL. 
The user may be automatically directed to such URL when a web page is 
viewed. The issue can also be exploited via e-mail.



DETAILS
=======

The HSC installation contains various HTML files, which of some are 
intended to be used by all web pages and some are intented for HSC's 
internal use. The HTML files belong in the My Computer Zone because 
they require e.g. the ability to launch external helper programs with 
JavaScript.

By using quote symbols in the URL an attacker can pass arbitrary 
command line arguments to HelpCtr.exe, the program handling HCP URLs.
Certain arguments allow the attacker to open any of the HSC's HTML 
files instead of just the "public" ones. This allows an attacker to 
inject JavaScript code which will be run in the context of these HTML 
files. In this way the attacker can run scripts in the My Computer 
Zone, which can e.g. download an start an attacker-supplied EXE 
program.

By default, HCP ships with Windows XP and Windows 2003. An exploit was 
produced to test the vulnerability, and both operating systems were 
found vulnerable. The attack succeeds even with Windows 2003's Enhanced 
Security Configuration enabled, because no ActiveX or Javascript is 
needed in Internet Explorer directly - the script is injected in HTML 
files opened by Help and Support Center, not Internet Explorer.

HSC isn't included in Windows systems prior to XP, so default 
installations of the older OSes aren't vulnerable.

Outlook (Express) with recent security fixes mitigates the e-mail 
vector so that automatic redirection can't be done but some user 
interaction is required (clicking on a link).



SOLUTION
========

Microsoft was contacted on November 5th, 2003. A patch has been 
produced to correct the vulnerability. Microsoft classifies the 
vulnerability in the highest, critical severity category.

Information about the patch can be found at

  http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnonen, 
Finland.




-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/
jouko@....fi            GSM: +358 41 5504555


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ