TUCoPS :: Windows :: hack2374.htm

Microsoft Help and Support Center argument injection vuln
Microsoft Help and Support Center argument injection vulnerability



OVERVIEW
========

"Help and Support Center (HSC) is a feature in Windows that provides 
help on a variety of topics" (from www.microsoft.com). It can be 
accessed via HCP: URLs. HSC is installed by default on Windows XP and 
Windows Server 2003 systems.

An argument injection vulnerability in HSC allows an attacker to run 
arbitrary code when the victim opens a specially formatted HCP: URL. 
The user may be automatically directed to such URL when a web page is 
viewed. The issue can also be exploited via e-mail.



DETAILS
=======

The HSC installation contains various HTML files, which of some are 
intended to be used by all web pages and some are intented for HSC's 
internal use. The HTML files belong in the My Computer Zone because 
they require e.g. the ability to launch external helper programs with 
JavaScript.

By using quote symbols in the URL an attacker can pass arbitrary 
command line arguments to HelpCtr.exe, the program handling HCP URLs.
Certain arguments allow the attacker to open any of the HSC's HTML 
files instead of just the "public" ones. This allows an attacker to 
inject JavaScript code which will be run in the context of these HTML 
files. In this way the attacker can run scripts in the My Computer 
Zone, which can e.g. download an start an attacker-supplied EXE 
program.

By default, HCP ships with Windows XP and Windows 2003. An exploit was 
produced to test the vulnerability, and both operating systems were 
found vulnerable. The attack succeeds even with Windows 2003's Enhanced 
Security Configuration enabled, because no ActiveX or Javascript is 
needed in Internet Explorer directly - the script is injected in HTML 
files opened by Help and Support Center, not Internet Explorer.

HSC isn't included in Windows systems prior to XP, so default 
installations of the older OSes aren't vulnerable.

Outlook (Express) with recent security fixes mitigates the e-mail 
vector so that automatic redirection can't be done but some user 
interaction is required (clicking on a link).



SOLUTION
========

Microsoft was contacted on November 5th, 2003. A patch has been 
produced to correct the vulnerability. Microsoft classifies the 
vulnerability in the highest, critical severity category.

Information about the patch can be found at

  http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx 



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnonen, 
Finland.




-- 
Jouko Pynnönen          Web: http://iki.fi/jouko/ 
jouko@iki.fi            GSM: +358 41 5504555 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH