--[ Summary ]--
>From the Microsoft Security Bulletin MS03-006:
" A security vulnerability is present in the Windows Me version of Help
and Support Center [...]. An attacker could exploit the vulnerability by
constructing a URL that, when clicked on by the user, would execute code
of the attacker's choice in the Local Computer security context. The URL
could be hosted on a web page, or sent directly to the user in email. "
This issue can also be triggered automatically in some cases, without the
need for the victim to click on a link. It leads to total remote compromise of
the victim's computer.
Microsoft rates this issue as "Critical".
--[ Affected Systems ]--
- Windows ME (any version)
- Windows XP without SP1
Not vulnerable :
- Windows XP with SP1
Status of Windows 2000 was not tested but is believed to be the same as
Windows XP.
--[ Details]--
When an URL beginning with hcp:// is opened in Internet Explorer or
Outlook, the Help Center is launched. The URL is supplied to this
application without any additional check. The Help center will handle
the URL by opening the specified HTML help page (which is on the local
computer). Arguments, like the help topic name, can be given in the URL
and will be handled by javascript codes in the HTML page.
What happens if the victim follows this kind of link ?
hcp://vulnerable_help_page.htm?topic=javascript:alert('Malicious
script here can read, delete and execute any file')
The malicious topic we supplied will be used internally by scripts on
the page, will be inserted into the page, etc. So, the malicious script
will finally be executed in the Local Computer zone.
Exploitation has been confirmed on Windows ME and Windows XP without
SP1. When the malicious URL is opened into IE or Outlook, the Help
Center fires and execute the script crafted into the URL. Privileged
scripts actions and ActiveX controls can be run without any warning.
That allows an attacker to take total control over the victim's
computer.
We believe the Microsoft Security Bulletin issued about this issue is a
bit misleading. The problem was flagged as an "unchecked buffer in the
hcp:// URL handler leading to a buffer overrun vulnerability". We asked
Microsoft if they fixed a different problem than the one we reported,
but they told us it was the same.
We see it as a cross-site scripting vulnerability allowing an attacker
to execute arbitrary scripts in the relaxed security context of the Help
Center. This is much easier to exploit than a classical buffer overrun.
An attacker does not need to craft assembler code into the URL to
exploit this bug, he only needs to know a bit about client side
scripting languages and work around a weird triple-URL-decoding.
--[ Disclosure Timeline ]--
- "Warning" from The Hackademy Audit team found this vulnerability at the
end of November, 2002.
- Microsoft was notified early December.
- Readers of "The Hackademy Journal" were warned early December of
critical security issues in Windows ME and KDE (www.kde.org)
- KDE fixed its vulnerabilities early January.
- Microsoft fixed the Windows ME issue at the end of February (26/02)
--[ Solution ]--
Apply the patch provided by Microsoft in Security Bulletin MS03-006 :
http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
-- Fozzy
The Hackademy School, Journal & Audit - Paris
http://www.thehackademy.net
