Arman, I tried this and set up a test with your code at http://ip3e83566f.speed.planet.nl/iran.htm It does nothing on my patched IE6 SP1 where where you testing on ? IE6 SP1 by default disallows access to local recources so this is exactly what it should do. As andreas pointed out, if you are using a different version of IE that doesn't do this, there is no risk as its not opened inside the help viewer It seems to me this is a non-issue. Andreas, Correct but I thought about it, and the adodb trick I posted about on full disclosure (http://www.mail-archive.com/full-disclosure@xxxxxxxxxxxxxxxx/msg06847.html ) can most likely be used since help files are located on the local filesystem and are opened in the local zone this should work I attached a test file that suggests that it probably would. This means you can get arbitrary execution of code if you somehow manage to xss a local chm file 241 CHM files in my c:\windows\help , have fun ----- Original Message ----- From: "Andreas Sandblad" <sandblad@xxxxxxxxxx> To: "Arman Nayyeri" <arman-n@xxxxxxxxxxxx> Cc: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Thursday, September 04, 2003 9:27 AM Subject: Re: IE: CHM Attacks are still alive (CHM attack without showHelp()) > In order to use the shortcut command your code must be launched > in HTML Help. Simply linking to contents inside a chm file with the > mk: protocol will not do the trick since you are still operating inside > IE. That is the reason why you didn't get the chm file to execute > programs using the shortcut command. > > I believe MS successfully secured showHelp(...) to stop various attacks > using the shortcut command (including Sandblad #10). > > /Andreas Sandblad > > On Tue, 2 Sep 2003, Arman Nayyeri wrote: > > > > > > > !! R/\/\an#0001 !! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > CHM Attacks are still alive > > =========================== > > Title: CHM Attacks are still alive > > Date: Tuesday, September 02, 2003 > > Software: IE (What a nice program!!!) > > Vendor: Microsoft Corp. (I love Microsoft) > > Patch: N/A > > Author: Arman Nayyeri, arman-n@xxxxxxxxxxxx > > > > > > Vendor Status: > > ============== > > Microsoft was not contacted, because I don't know email address of > > Microsoft. > > > > > > Description: > > ============ > > > > After releasing MS03-004 patch, it is still possible to execute a chm file > > without using of showHelp() command. > > We can use mk:@MSITStore to execute CHM files, but with some tricks. > > > > 1.first we must have an help window opened in order to chm file to work > > correctly. > > > > 2.We must open a window (or an iframe) that points to > > mk:@MSITStore:pathof.chm::/compiledhtmlfilewithinchm.html > > > > The first one is hard but easy with the help of the user. > > We can say to user to press F1 key then by using a onkeydown event go to > > step 2. > > As easy as this!!!!! > > The microsoft patch just stop showHelp() functionality but it is still > > possible. > > If you use a url for chm file ,it will open and show the content of file > > but do not execute programs without generating any errors. (I test it on > > one chm file ,you can try more, maybe its worked!) > > But in the case of sandblad #11 ,I can't produce it without showHelp(), > > and I need the help of Andreas. > > Andreas!, I believe that it will work, so try it!!. > > > > Exploit > > ======= > > As you can see, here is the simple javascript code that I write to exploit > > this. > > you must: > > 1.make a chm file and save it as c:\msit.chm (download free tool for > > making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 ) > > 2.remove all ! from script > > 3.create a html file and copy the code into that > > 4.open the html page and press F1 key (at the top left corner of your > > keyboard) > > (you may need to increase Timeout to allow the IE help to be opened) > > > > -------------------------------BEGINING OF FILE--------------------------- > > <!h2>You should press "F1" key (at the top left corner of your keyboard) > > </h2> > > <!script> > > function gotKey(){ > > if (event.keyCode==112){ > > setTimeout( > > function () { > > document.write('<iframe id=I1 > > src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love > > IRAN<br>R/\/\an#0001</h3>'); > > }, > > 1194 > > ); > > } > > } > > document.onkeydown = gotKey; > > <!/script> > > ---------------------------------END OF FILE------------------------------ > > > > > > Disclaimer: > > =========== > > Arman Nayyeri is not responsible for the misuse of the information > > provided in this advisory. The opinions expressed are my own and not of > > any company. In no event shall the author be liable for any damages > > whatsoever arising out of or in connection with the use or spread of this > > advisory. Any use of the information is at the user's own risk. > > > > > > Please Contact Me: > > ================== > > arman-n@xxxxxxxxxxxx > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Arman Nayyeri > > MCP, MCSE 2000(in next two weeks) > > > > Semnan, IRAN (IRAN IS MY COUNTRY, I LOVE IRAN!!!) > > > > -- > _ _ > o' \,=./ `o > (o o) > -ooO--(_)--Ooo-
Attachment:
testing.zip
Description: Binary data