Internet Explorer HTML Help Control ActiveX Cross Domain/Zone Scripting Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Internet Explorer HTML Help Control ActiveX Cross Domain/Zone Scripting Vulnerabilities
From: roozbeh afrasiabi <roozbeh_afrasiabi@xxxxxxxxx>
Date: 31 Oct 2004 14:33:43 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


TITLE :
Internet Explorer  HTML Help Control  ActiveX Cross Domain/Zone Scripting 
Vulnerabilities

Criticality :
Less Critical  :)

WHERE :
>From remote
Requires user interaction

IMPACT :
Security Bypass
System Access
Exposure of Sensitive Information

SOFTWARE :
Microsoft Internet Explorer 6 

Tested on :
Windows XP SP2

Discovered by:
Roozbeh Afrasiabi
www.persiax.com

Disclaimer :

Roozbeh Afrasiabi is not responsible for the misuse of the information provided 
in this report. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
advisory. Any use of the information provided here is at the user's own risk.





Description :


The HTML Help Control vulnerability which allows bypass of local zone security 
restrictions can be further misused to cause cross-domain and cross-zone 
scripting vulnerabilities.
After a file is opened inside hh.exe using activex there is no restriction to 
stop injection of script inside this file, the fact that hh.exe can access 
internet zone could be exploited to load a webpage inside HTML HELP and then 
inject the malicious script inside this page which results in cross domain 
vulnerability, the desired script is passed to hh.exe by activex which gets 
executed in the security zone of the opened file.  

When CHM files are opened using activex in HTML HELP it is likely to inject 
script inside these Files because they are directly opened in Local zone unlike 
the time they are opened using the showHelp function in internet zone , the 
injected script gets executed in HTML HELP result of wich is command execution 
with parameter .



Pocs:


* I have only tested these pocs on my own machine which dose not prove the fact 
that your machine is vulnerable too ,there is no guarantee that they work 
correctly on your machine or that the contents of this report are correct about 
any  other machine than mine :)



A) Cross-Domain Scripting vulnerability

http://www.persiax.com/pocs/htmlhelp/cs.htm

what it dose on my machine:
opens http://www.google.com inside hh.exe shows the document cookie [ 
alert(document.cookie) ] .

B) Cross-Zone Scripting vulnerability

http://www.persiax.com/pocs/htmlhelp/cz.htm

What it dose on my machine:
opens ntshared.chm inside hh.exe and then injects the malicious  script inside 
this file which can execute commands with parameters (for instance shutdown -r)



Contact info:
roozbeh_afrasiabi[at]persiax.com
roozbeh_afrasiabi[at]yahoo.com


Especial thanks to:
http-equiv
Nader Shakerin (man nokare khare sage pedaretam haji)

REFERENCES:

http://www.securityfocus.com/bid/11467
http://secunia.com/advisories/12889/
http://malware.com/noceegar.html

Prev by Date: Safari vulnerable to URL spoofing
Next by Date: [ GLSA 200411-02 ] Cherokee: Format string vulnerability
Previous by thread: Safari vulnerable to URL spoofing
Next by thread: [ GLSA 200411-02 ] Cherokee: Format string vulnerability
Index(es):
- Date
- Thread