Microsoft Help and Support Center argument injection vulnerability
OVERVIEW
========
"Help and Support Center (HSC) is a feature in Windows that provides
help on a variety of topics" (from www.microsoft.com). It can be
accessed via HCP: URLs. HSC is installed by default on Windows XP and
Windows Server 2003 systems.
An argument injection vulnerability in HSC allows an attacker to run
arbitrary code when the victim opens a specially formatted HCP: URL.
The user may be automatically directed to such URL when a web page is
viewed. The issue can also be exploited via e-mail.
DETAILS
=======
The HSC installation contains various HTML files, which of some are
intended to be used by all web pages and some are intented for HSC's
internal use. The HTML files belong in the My Computer Zone because
they require e.g. the ability to launch external helper programs with
JavaScript.
By using quote symbols in the URL an attacker can pass arbitrary
command line arguments to HelpCtr.exe, the program handling HCP URLs.
Certain arguments allow the attacker to open any of the HSC's HTML
files instead of just the "public" ones. This allows an attacker to
inject JavaScript code which will be run in the context of these HTML
files. In this way the attacker can run scripts in the My Computer
Zone, which can e.g. download an start an attacker-supplied EXE
program.
By default, HCP ships with Windows XP and Windows 2003. An exploit was
produced to test the vulnerability, and both operating systems were
found vulnerable. The attack succeeds even with Windows 2003's Enhanced
Security Configuration enabled, because no ActiveX or Javascript is
needed in Internet Explorer directly - the script is injected in HTML
files opened by Help and Support Center, not Internet Explorer.
HSC isn't included in Windows systems prior to XP, so default
installations of the older OSes aren't vulnerable.
Outlook (Express) with recent security fixes mitigates the e-mail
vector so that automatic redirection can't be done but some user
interaction is required (clicking on a link).
SOLUTION
========
Microsoft was contacted on November 5th, 2003. A patch has been
produced to correct the vulnerability. Microsoft classifies the
vulnerability in the highest, critical severity category.
Information about the patch can be found at
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
CREDITS
=======
The vulnerability was discovered and researched by Jouko Pynnonen,
Finland.
--
Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@xxxxxx GSM: +358 41 5504555