[Full Disclosure] Using DHTML XSS to launch HHCTRL exploit
[Full Disclosure] Using DHTML XSS to launch HHCTRL exploit
GeCAD NET Security Advisory 2005.02.16
Original notice (requires authentication):
http://www.gecadnet.ro/windows/?AID=1414
February 16th 2005
1. Past Events
On January 20th 2005, GeCAD NET released a security advisory warning
that the exploit for the HHCTRL vulnerability can still be used on an
attack by using another known (and at that time unpatched) vulnerability
in Microsoft Internet Explorer. Patched up-to-date Windows XP SP1 and
Windows 2000 SP4 systems were confirmed as vulnerable.
On February 8th 2005 Microsoft released a set of security patches. One
of them, MS05-013, fixes the DHTML Editing Component ActiveX Control
Cross-Site Scripting vulnerability, which was the one GeCAD NET used in
order to launch the HHCTRL exploit.
2. Description
The alert mentioned in the header contains a Full Disclosure of this
issue. Proof-of-Concept code is also provided.
3. Conclusion
If the target system is not patched with MS05-013, a remote attacker
might prepare a specially crafted webpage that when loaded in Internet
Explorer, it will allow execution of attacker controller code on the
target system, thus leading to system security compromise.
4. Tests conducted and results
GeCAD NET confirms that this attack vector is blocked on the systems
patched with MS05-013.
Windows XP Service Pack 2 seems not to be vulnerable to this attack
method. However, it is strongly advised users apply the patch in order
to fix the XSS vulnerability.
5. Events
01/18/2005 Exploit created and tested
01/19/2005 Vendor notified
01/20/2005 Vendor response
01/20/2005 Public warning
02/08/2005 Patch released
02/16/2005 Full Disclosure
6. Legal Notices
Copyright (c) 2005 GeCAD NET (member of GeCAD Group)
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without written consent
of GeCAD NET. If you wish to reprint the whole or any part of this alert
in any other medium other than electronically, please email
support@xxxxxxxx for permission.
Disclaimer:
The content of this alert is believed to be accurate at the time of
publishing based on currently available information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.