TUCoPS :: Browsers :: hack0863.htm

Internet Explorer HTML Help Control ActiveX Cross Domain/Zone Scripting vulns
Internet Explorer HTML Help Control ActiveX Cross Domain/Zone Scripting Vulnerabilities 



TITLE :

Internet Explorer  HTML Help Control  ActiveX Cross Domain/Zone Scripting Vulnerabilities



Criticality :

Less Critical  :)



WHERE :

From remote

Requires user interaction



IMPACT :

Security Bypass

System Access

Exposure of Sensitive Information



SOFTWARE :

Microsoft Internet Explorer 6 



Tested on :

Windows XP SP2



Discovered by:

Roozbeh Afrasiabi

www.persiax.com 



Disclaimer :



Roozbeh Afrasiabi is not responsible for the misuse of the information provided in this report. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use of the information provided here is at the user's own risk.











Description :





The HTML Help Control vulnerability which allows bypass of local zone security restrictions can be further misused to cause cross-domain and cross-zone scripting vulnerabilities.

After a file is opened inside hh.exe using activex there is no restriction to stop injection of script inside this file, the fact that hh.exe can access internet zone could be exploited to load a webpage inside HTML HELP and then inject the malicious script inside this page which results in cross domain vulnerability, the desired script is passed to hh.exe by activex which gets executed in the security zone of the opened file.  



When CHM files are opened using activex in HTML HELP it is likely to inject script inside these Files because they are directly opened in Local zone unlike the time they are opened using the showHelp function in internet zone , the injected script gets executed in HTML HELP result of wich is command execution with parameter .







Pocs:





* I have only tested these pocs on my own machine which dose not prove the fact that your machine is vulnerable too ,there is no guarantee that they work correctly on your machine or that the contents of this report are correct about any  other machine than mine :)







A) Cross-Domain Scripting vulnerability



http://www.persiax.com/pocs/htmlhelp/cs.htm 



what it dose on my machine:

opens http://www.google.com inside hh.exe shows the document cookie [ alert(document.cookie) ] .



B) Cross-Zone Scripting vulnerability



http://www.persiax.com/pocs/htmlhelp/cz.htm 



What it dose on my machine:

opens ntshared.chm inside hh.exe and then injects the malicious  script inside this file which can execute commands with parameters (for instance shutdown -r)







Contact info:

roozbeh_afrasiabi[at]persiax.com

roozbeh_afrasiabi[at]yahoo.com





Especial thanks to:

http-equiv

Nader Shakerin (man nokare khare sage pedaretam haji)



REFERENCES:



http://www.securityfocus.com/bid/11467 

http://secunia.com/advisories/12889/ 

http://malware.com/noceegar.html

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH