SecuriTeam.com ™ (Vulnerability Allows Deleting of Files through CSS Condition in Help Center)

Beyond-Security's SecuriTeam.com

SecuriTeam Home
About SecuriTeam
Ask the Team
Advertising info
Security News
Security Reviews
Exploits
Tools
UNIX focus
Windows NT focus

1. SHELL32.DLL Denial of Service
2. eZ Multiple Packages Stack Overflow Vulnerability
3. Websense Blocked Sites XSS
4. IBM Directory Server Web Admin GUI (ldacgi.exe) XSS Vulnerability
5. Yahoo Instant Messenger YAUTO.DLL Buffer Overflow (YAuto.NSAuto.1)

E-Mail this article to a friend
Send us comments


Title	15/8/2002
Vulnerability Allows Deleting of Files through CSS Condition in Help Center
Summary
Help and Support Center is the unified Help introduced by Windows XP. It is an expanded version of the Help Center application (introduced in Windows Millennium Edition), providing a wider breadth of content and more features to access that content. A vulnerability in the product allows remote attackers to cause it to delete arbitrary files.
Details
Background: Information on the 'Help and Support Center' may be obtained from MSDN at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/pchealth/pchealth/help_and_support_center.asp Details: The application also registers the pluggable protocol "hcp://", which may be used to launch the help center from a web site. It is also used for navigation within the center itself. The path and file specified in an URL when using the hcp protocol may specify a file to open relative from the HELPCTR directory. I.e. the URL "hcp://system/sysinfo/msinfo.htm" will launch the Help Center and open the file "%windir%\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm". There are various restrictions and exceptions, but this is the general idea. It is important to note that the Help Center will host the page with elevated privileges, allowing the page to script arbitrary controls with no prompts presented to the user. Exploit: The file (32,463 bytes); %windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm Appears to be intended for use by the Help Center to upload hardware/driver information collected on the local machine for use in troubleshooting hardware issues. It also contains the fraction of script. var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); try { oFSO.DeleteFile( sFile ); } Where 'sFile' is derived from the URL. The help center will load the uplddrvinfo.htm file and render it with higher privileges, allowing such script to run without prompts By using the 'hcp:' protocol, its possible to launch this from a link. The filename can also include wild cards. Thus, the following link will delete all files in the 'C:\windows\' directory when the launched window is closed (normal file permissions still apply as usual). Sub-directories are not deleted. hcp://system/DFS/uplddrvinfo.htm?file://c:\windows\* Resolution: Microsoft has noted they intend to roll the fix into SP1 for XP. Shane informed Microsoft Shane would be publishing this advisory in mid August during correspondance (late June) and received no objections. Temporary solutions may be: + Delete/move the uplddrvinfo.htm file + Edit the script of uplddrvinfo.htm to remove the offending code + Unregister the hcp protocol handler Ironically, the following 'exploit' may also be used as a 'patch' for users running as admin with Windows installed in C:\windows\. NOTE: This may delete the 'uplddrvinfo.htm' file. hcp://system/DFS/uplddrvinfo.htm?file://c:\windows\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm Other issues: A brief look through some of the files and directories of PCHEALTH, the data collection that is involved, and the support for sending files to Microsoft and other 3rd parties, should open the Help Center to further investigation. That and it can open local files with elevated privileges, similar to .chm files in help. Some other URLs Shane has seen with the Help Center which may be worth investigating. Note that they haven't yet been shown to contain any problems. hcp://system/sysinfo/msinfo.htm?open=c:\x.nfo causes MSinfo to try open x.nfo hcp://system/sysinfo/msinfo.htm?print=1 causes MSInfo to print the info to the printer hcp://system/sysinfo/msinfo.htm?any=x causes MSInfo to hang hcp://system/errors/offline.htm?URL=http://www.google.com hcp://services/subsite?node=x&topic=http://www.google.com Will open an arbitrary URL running under the 'Internet' zone. However the page will have limited access to the 'pchealth' control (CLSID:FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7), which it normally wouldn't. Note that the 'dangerous' methods of this control seem to be blocked however. hcp://services/centers/errmsg hcp://services/subsite?node=...&topic=about:injectedtext hcp://services/redirect hcp://services/centers/options hcp://services/centers/support hcp://services/centers/update hcp://services/index hcp://services/options hcp://services/layout/contentonly hcp://services/layout/xml hcp://services/centers/homepage Some virtual URLs which don't map directly to any files though are taken from a DLL. Shane hasn't looked for problems with any of these pages. There are also a lot of other files under '%windir%\PCHEALTH\HELPCTR\System\' which can be opened in the same manner as 'uplddrvinfo.htm', though Shane haven't yet found any others which contain similar script errors.
Additional information
The information has been provided by Shane Hird.

Copyright © 1998-2003 Beyond Security Ltd. All rights reserved.
Terms of Use Site Privacy Statement.