MS-Windows ME IE/Outlook/HelpCenter critical vulnerability

2003-02-28T00:00:00
ID SECURITYVULNS:DOC:4143
Type securityvulns
Reporter Securityvulns
Modified 2003-02-28T00:00:00

Description

--[ Summary ]--

>From the Microsoft Security Bulletin MS03-006: " A security vulnerability is present in the Windows Me version of Help and Support Center [...]. An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attacker's choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. " This issue can also be triggered automatically in some cases, without the need for the victim to click on a link. It leads to total remote compromise of the victim's computer.

Microsoft rates this issue as "Critical".

--[ Affected Systems ]--

  • Windows ME (any version)
  • Windows XP without SP1

Not vulnerable : - Windows XP with SP1

Status of Windows 2000 was not tested but is believed to be the same as Windows XP.

--[ Details]--

When an URL beginning with hcp:// is opened in Internet Explorer or Outlook, the Help Center is launched. The URL is supplied to this application without any additional check. The Help center will handle the URL by opening the specified HTML help page (which is on the local computer). Arguments, like the help topic name, can be given in the URL and will be handled by javascript codes in the HTML page.

What happens if the victim follows this kind of link ? hcp://vulnerable_help_page.htm?topic=javascript:alert('Malicious script here can read, delete and execute any file') The malicious topic we supplied will be used internally by scripts on the page, will be inserted into the page, etc. So, the malicious script will finally be executed in the Local Computer zone.

Exploitation has been confirmed on Windows ME and Windows XP without SP1. When the malicious URL is opened into IE or Outlook, the Help Center fires and execute the script crafted into the URL. Privileged scripts actions and ActiveX controls can be run without any warning. That allows an attacker to take total control over the victim's computer.

We believe the Microsoft Security Bulletin issued about this issue is a bit misleading. The problem was flagged as an "unchecked buffer in the hcp:// URL handler leading to a buffer overrun vulnerability". We asked Microsoft if they fixed a different problem than the one we reported, but they told us it was the same. We see it as a cross-site scripting vulnerability allowing an attacker to execute arbitrary scripts in the relaxed security context of the Help Center. This is much easier to exploit than a classical buffer overrun. An attacker does not need to craft assembler code into the URL to exploit this bug, he only needs to know a bit about client side scripting languages and work around a weird triple-URL-decoding.

--[ Disclosure Timeline ]--

  • "Warning" from The Hackademy Audit team found this vulnerability at the end of November, 2002.
  • Microsoft was notified early December.
  • Readers of "The Hackademy Journal" were warned early December of critical security issues in Windows ME and KDE (www.kde.org)
  • KDE fixed its vulnerabilities early January.
  • Microsoft fixed the Windows ME issue at the end of February (26/02)

--[ Solution ]--

Apply the patch provided by Microsoft in Security Bulletin MS03-006 : http://www.microsoft.com/technet/security/bulletin/MS03-006.asp

-- Fozzy

The Hackademy School, Journal & Audit - Paris http://www.thehackademy.net