------------------------------------------------------------ - EXPL-A-2004-001 exploitlabs.com Advisory 027 - ------------------------------------------------------------ - Windows Help Center - Dvdupgrade - OVERVIEW ======== "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics" It can also be accessed via HCP: URLs. HSC is installed by default on Windows XP and Windows Server 2003 systems. An input invalidation vulnerability in HSC allows exposes users to a remote code execution vulnerability that allows an attacker to run arbitrary code when the victim opens a specially formatted HCP: URL. The user may be automatically directed to such URL when a web page is viewed. The issue can also be exploited via e-mail. AFFECTED PRODUCTS ================= Microsoft Windows Operating Systems with Help and Support Center Microsoft Windows XP and Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server™ 2003 Microsoft Windows Server 2003 items: "%windir%\PCHealth\HelpCtr\Binaries\HelpCtr.exe %windir%\PCHEALTH\HELPCTR\System\DVDUpgrd.htm %windir%\PCHEALTH\HELPCTR\System\DVDUpgrd.js DETAILS ======= The HSC installation contains various HTML and javascript files,which are intended to be used by HSC's internal use. The HTML files belong in the My Computer Zone because they require e.g. the ability to launch external helper programs with JavaScript. By using a specialy crafted url an attacker can cause the users local machine to start and render helpctr.exe in the local context and passes the injected url to the application. The user is then presented with the Help and Support DvD Upgrade dialog in Help and Support Center. With the Dvdupgrade page, The injected url is now linked to the "upgrade now" button. By pressing the updrade now button, the user is presented with a (open) / (save) dialog box with the offending ( attackers ) file. This allows an attacker to initiate the Dvdupgrade action on HSC, inject JavaScript code which will be run in the context of these HTML files, speciffically "HCP://system/DVDUpgrd/dvdupgrd.htm". In this way the attacker can run scripts in the My Computer Zone, which can e.g. download an start an attacker-supplied EXE program. As an aside, no url activity is displayed and there is no address or status bar for Help and Support. SOLUTION ======== Microsoft was contacted on March 18th, 2004. A patch has been produced to correct the vulnerability. They have issued the following: Microsoft Security Bulletin MS04-015 Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374) Issued: May 11, 2004 Version: 1.0 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Important Recommendation: Customers should install the update at the earliest opportunity. Information about the vunerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx PROOF OF CONCEPT ================ http://exploitlabs.com/msnspoof/poc/ http://exploitlabs.com/msnspoof/poc/index2.html http://exploitlabs.com/msnspoof/poc/index3.jpg CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner Information Security Specialist security@exploitlabs.com -- Web: http://exploitlabs.com Ph: (360)-312-8011