TUCoPS :: Windows Apps :: win5634.htm

Help Center protocol and defaut help documents can be used to delete files remotely
16th Aug 2002 [SBWID-5634]
COMMAND

	Help Center protocol and defaut help documents can  be  used  to  delete
	files remotely

SYSTEMS AFFECTED

	 IE6 + all service packs (to date of publishing)

	 Windows XP + all patches (to date of publishing)

	 Help Center (HelpCtr.exe v5.1.2600.0) 

PROBLEM

	Shane Hird Research Scientist  of  the  Distributed  Systems  Technology
	Centre posted :
	

	"Help and Support Center is the unified Help introduced by  Windows  XP.
	It is an exapanded version of the Help  Center  application  (introduced
	in Windows Millenium Editon), providing a wider breadth of  content  and
	more features to access that content."
	

	The application also registers the pluggable  protocol  "hcp://",  which
	may be used to launch the help center from a web site. It is  also  used
	for navigation within the center itself. The path and file specified  in
	an URL when using the hcp protocol may specify a file to  open  relative
	from      the      HELPCTR      directory.       ie.       The       URL
	"hcp://system/sysinfo/msinfo.htm" will launch the Help Center  and  open
	the  file  "%windir%\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm".  There
	are various restrictions and exceptions, but this is the general idea.
	

	It is important to note that the Help Center will  host  the  page  with
	elevated priviliges, allowing the  page  to  script  arbitrary  controls
	with no prompts presented to the user.
	

	 -----|Exploit:

	 --------------

	

	The file (32,463 bytes);
	

	%windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm

	

	Appears  to  be  intended  for  use  by  the  Help  Center   to   upload
	hardware/driver information collected on the local machine  for  use  in
	troubleshooting hardware  issues.  It  also  contains  the  fraction  of
	script;
	

	var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );

	try

	{

	oFSO.DeleteFile( sFile );

	}

	

	Where 'sFile' is derived from the URL. The help  center  will  load  the
	uplddrvinfo.htm file and render  it  with  higher  privileges,  allowing
	such script to run without prompts
	

	By using the 'hcp:' protocol, its possible to launch this from  a  link.
	The filename can also include wild cards. Thus, the following link  will
	delete all files  in  the  'C:\windows\'  directory  when  the  launched
	window is closed.  (normal  file  permissions  still  apply  as  usual).
	Sub-directories are not deleted.
	

	hcp://system/DFS/uplddrvinfo.htm?file://c:\windows\* 

	

SOLUTION

	 Patch

	 =====

	

	Microsoft have noted they intend to roll the fix into SP1 for XP
	

	 Workaround

	 ==========

	

	 + delete/move the uplddrvinfo.htm file

	 + edit the script of uplddrvinfo.htm to remove the offending code

	 + unregister the hcp protocol handler

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH