Jump to content
begood

[local/remote]MS WINDOWS HTML HELP CONTROL CHM HELP FILE LOAD HIJACK VULN

By begood, in Exploituri

Recommended Posts

begood Newbie

begood

Posted
Posted

The MS HTML Help control activex is prone to a remote CHM help file hijack vulnerability when applications invoke help. Multiple built-in applications are vulnerable to this. The impact of the vulnerability is the loading of the incorrect CHM help file when it resides in the same directory the application invoking help starts in. This proof of concept exploit leverages Notepad to demonstrate the vulnerability.

Edu says Important Notice:

I take no responsibility of what you do with this information. Test it only in computers that you own or have the explicit

permission to perform tests.

To the action!

The MS HTML Help control activex is prone to a remote CHM help file hijack vulnerability when applications invoke help.

Multiple built-in applications are vulnerable to this. The impact of the vulnerability is the loading of the incorrect

CHM help file when it resides in the same directory the application invoking help starts in.

The best attack vector I found for this, surprisingly is the safest and simplest Microsoft built-in application: Microsoft Notepad.

Yes, the first remote code execution vulnerability involving the good old Notepad, and the vector as you are likely thinking of

is an innocent TXT file, which can be opened in the local disk or in a remote Netbios share. (in the same directory of the file

notepad.chm). Some user interaction is required

though, specially if the file is invoked in a remote network share. Reason is, as Microsoft states, CHM files running

in any security zone other than the local machine doesnt work. Well, this is partially true:

When there is a table of contents (.hhc) file in the CHM, and it has the "local" parameter of an object tag pointing to a

javascript URL, when the user clicks, the javascript URL is executed under the context of a local html file, which HTML Help

uses to display an error page (reS://ieframe.dll/navcancl.htm), meaning the script code is parsed in the context of the

local machine security zone, therefore arbitrary code can be executed. So, what the user needs to do in order to have arbitrary

code executed ?

1) In a remote scenario :

double click a text file located in a remote Netbios share, proceed to press F1 key and then click on a topic (in the left

pane of the HTML Help window)

2) in the local computer, when eg. extracting files from a zip archive :

double click a text file and then press F1. this is enough to run code, because the embeded HTML files are processed in the local

machine security zone context, and can, for example, use the HTML Help activex and the shortcut parameter to run arbitrary programs

automatically.

Severity : medium-low / medium

Impact : arbitrary code execution

2 POCs are provided, one that works on the local disk and the other on a remote network share. Network shares can be automatically

invoked by Internet Explorer, upon accessing a webpage.

instructions :

place all the files in the root directory (C:\)

put the start.htm in a webserver and access it with IE. it will open a default share (\\127.0.0.1\c$)

all the code is executed having the above address as base, so if you are going to change stuff, edit all the files, else it wont work.

If all works fine, you should see cmd prompt and calc being executed. You will need HTML Help Workshop to extract the files from the

'Notepad.chm' file and edit the script code in the 'notepad.hhc' file.

System Affected :

tested on Windows XP SP3 fully patched, 2000 SP4. Windows Vista and 7 are not affected because they use a new help system.

Affected applications :

most windows applications that utilizes the HTML Help control to display help to the user. This includes :

Paint, Image and Fax Viewer, Wordpad, Internet Explorer (any version), etc. But the problem with these is :

a) Paint on XP doesnt have by default any type of file associated. ON Windows 2000, bitmap images open in Paint by default

so it can be a good vector on windows 2000.

B) Image and Fax Viewer, this is a dll loaded in Explorer.exe process which by default starts in the user´s base dir (XP)

so the only chance is placing a chm in the user´s base dir. not a good vector.

c) Wordpad. it is forced to start in the "my documents" dir. not a good vector.

d) Internet Explorer. it is forced to start in the user´s desktop dir. not a good vector.

e) Notepad. good vector on both XP and 2000. -> using it!

Researcher who found this funny bug: Eduardo Prado.

.:[ packet storm ]:. - http://packetstormsecurity.org/

md5 : 3f0edb83fb8c525b3c7a93556ab16cc7

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...