[Full Disclosure] Using DHTML XSS to launch HHCTRL exploit GeCAD NET Security Advisory 2005.02.16 Original notice (requires authentication): http://www.gecadnet.ro/windows/?AID=1414 February 16th 2005 1. Past Events On January 20th 2005, GeCAD NET released a security advisory warning that the exploit for the HHCTRL vulnerability can still be used on an attack by using another known (and at that time unpatched) vulnerability in Microsoft Internet Explorer. Patched up-to-date Windows XP SP1 and Windows 2000 SP4 systems were confirmed as vulnerable. On February 8th 2005 Microsoft released a set of security patches. One of them, MS05-013, fixes the DHTML Editing Component ActiveX Control Cross-Site Scripting vulnerability, which was the one GeCAD NET used in order to launch the HHCTRL exploit. 2. Description The alert mentioned in the header contains a Full Disclosure of this issue. Proof-of-Concept code is also provided. 3. Conclusion If the target system is not patched with MS05-013, a remote attacker might prepare a specially crafted webpage that when loaded in Internet Explorer, it will allow execution of attacker controller code on the target system, thus leading to system security compromise. 4. Tests conducted and results GeCAD NET confirms that this attack vector is blocked on the systems patched with MS05-013. Windows XP Service Pack 2 seems not to be vulnerable to this attack method. However, it is strongly advised users apply the patch in order to fix the XSS vulnerability. 5. Events 01/18/2005 Exploit created and tested 01/19/2005 Vendor notified 01/20/2005 Vendor response 01/20/2005 Public warning 02/08/2005 Patch released 02/16/2005 Full Disclosure 6. Legal Notices Copyright (c) 2005 GeCAD NET (member of GeCAD Group) Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without written consent of GeCAD NET. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email support@xxxxxxxx for permission. Disclaimer: The content of this alert is believed to be accurate at the time of publishing based on currently available information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
