lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F99F9F0.5050408@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: HTML Help API - Privilege Escalation

Drats... looks like ya beat me to it, I hesitated to release this 
information because not all applications that use help can be exploited. 
We have located a few applications that ARE vulnerable to this type of 
attack however nothing that is part of windows by default. Currently we 
are awaiting vendor fixes before we release the information...  release 
is expected around 11/10/03

We also considered mentioning this to M$ however we felt that this was 
not a flaw of the Windows OS but rather a flaw in the implementation of 
application XYZ's usage of the help functions. I would relate this type 
of attack to a setuid program calling system("clear") while running as 
root on a unix machine. This does not mean that system() is flawed 
rather that when implementing this call you need to be more careful and 
drop your privs. 

Brett: does microsoft plan on patching this issue or is this purely 
informational and intended to help those using the help functions 
program properly?

for an example of this type of attack please see:
http://securityresponse.symantec.com/avcenter/security/Content/2002.10.15.html

-KF


Brett Moore wrote:

>=====================================================================
>= HTML Help API - Privilege Escalation
>=
>= Tested against:
>=   HTML Help Control Version 5.2.3735.1
>=
>= brett.moore@...urity-assessment.com
>= http://www.security-assessment.com
>=
>= Originally posted: October 24th, 2003
>=====================================================================
>
>== Background ==
>
>Microsoft Windows allows applications to use a standard method of
>displaying and handling help files. One of these methods is using 
>the HTML help API.
>
>(From MSDN)
>- HTML Help API Overview
>- The HTML Help application programming interface (API) enables a 
>- Windows program to create a help window that displays a help topic.
>- The Windows program has complete control over the type, style, and
>- position of the help window. 
>-
>- The fundamental feature of the HTML Help API is the help window.
>- Through the API commands, you can create a help window that hosts 
>- a Microsoft Internet Explorer DLL (Shdocvw.dll) and displays an 
>- HTML file that you specify. 
>(End MSDN)
>
>The HTML help API consists of one function that an application uses
>to pass commands.
>
>	HWND HtmlHelp(
>              HWND    hwndCaller,
>              LPCSTR  pszFile,
>              UINT    uCommand,
>              DWORD   dwData) ;
>
>When an application loads a help file using this function it passes
>the name of the file through the pszFile parameter. It appears that
>this function does not drop any privileges before invoking the help
>viewer.
>
>If a SYSTEM level application uses this function to display a help file,
>the HTML help viewer will be running with SYSTEM rights.
>
>Part of the help window consists of an instance of Internet Explorer
>which allows a user to browse the local drive. 
>
>By selecting jump to URL from the window system menu, a user can enter
>a path name (c:\), right-mouse-click on a file and then select open
>with cmd.exe to be given a SYSTEM level command shell window.
>
>== Example Vulnerable Programs ==
>
>>From our testing, any application running at a higher security level
>that invokes htmlhelp without dropping privileges is vulnerable.
>We tested various Personal Firewall and Antivirus applications and 
>found some to be vulnerable to this attack.
>We found no 'default' windows applications vulnerable to this attack,
>but think that it is something that application developers need to be
>aware of.
>
>== Solutions ==
>
>The HTML help view (hh.exe) should be called externally passing the
>helpfile name as a parameter.
>
>Security rights could be dropped through the use of system() or 
>CreateProcess() functions. CreateProcessAsUser() or 
>ImpersonateLoggedOnUser() could be used to control the rights that
>htmlhelp executes with.
>
>If an interactive window requires SYSTEM rights, its functionality should
>be limited to those functions requiring the higher level of privilege.
>
>== Credit ==
>
>Brett Moore from security-assessment.com
>
>== About Security-Assessment.com ==
>
>Security-Assessment.com is a leader in intrusion testing and security
>code review, and leads the world with SA-ISO, online ISO17799 compliance
>management solution. Security-Assessment.com is committed to security
>research and development, and its team have previously identified a
>number of vulnerabilities in public and private software vendors products.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ