( , ) (, . `.' ) ('. ', ). , ('. ( ) ( (_,) .`), ) _ _, / _____/ / _ \ ____ ___ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> \ Y Y \ /______ /\___|__ / \____>_ __/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _='`"``=. Microsoft Help Files (.CHM): 'Locked File' Bypass Versions Affected: Windows XP, Windows Vista, Windows 7 pdf: http://www.security-assessment.com/files/advisories/Windows_Locked_HelpFiles.pdf +-----------+ |Description| +-----------+ Changes made with Windows XP introduced additional origin validation for files downloaded from the Internet when saved to an NTFS volume. This 'feature' is present in Windows XP, Vista and 7. When a user downloads a .CHM file using Internet Explorer (or another browser) Windows will mark an NTFS meta-data flag for the file, which indicates the file should be "Locked". Locked Help Files will not render any content within the CHM file using the Help File Viewer (hh.exe) until a user selects the file in Explorer and clicks the "Unblock" button under the files properties, which resets the NTFS meta-data flag. This security feature can be bypassed by referencing external URI handlers from the CHM file's Table of Contents file, and links can directly accessed regardless of the help files locked state. Consider this example which references a local html file, and will not render: And this example which will render, and spawn a shell through javascript/vbscript + activex: The same technique can be used to download remote files, by linking the table of contents to a remote http:// resource. The implemented locked 'feature' and the NTFS flag are effectively useless for CHM files. Although I would not call this an exploit, it does illustrate a nifty trick that may prove useful to someone else. It might also make you think twice next time you download a Help File. +------------+ |Exploitation| +------------+ An example CHM file can be found at: http://www.security-assessment.com/files/advisories/blockedhelp.chm Source code to the Help file is available at: http://www.security-assessment.com/files/advisories/blockedhelp_src.zip +--------+ |Solution| +--------+ Microsoft acknowledge that this is a bug, but do not think it requires fixing until the next Windows Service Pack. This is due to the mitigating circumstances of CHM files and the requirements of an NTFS file system. This was the response I expected. Paul Craig Principal Security Consultant Security-Assessment.com