, Symantec Security Response 2008-10-23
The Symantec DeepSight Threat Analysis team recently observed an interesting attack development related to a known vulnerability type. This seemingly new technique allows attackers to execute a malicious payload immediately on a victim's system, where in the past they weren't able to achieve instant code execution by exploiting such vulnerabilities.
Public examples of this new attack typically employ file-overwrite and file-download vulnerabilities in ActiveX controls to download a malicious file onto the target machine. In the past, attackers were able to download files without much difficulty, but until recently the options for attackers seeking to have malicious programs executed on a victim's system were limited. In order to execute a malicious file on an affected computer, attackers generally needed to place the file in one of the load points such as the "Startup" directory in Microsoft Windows, or use social-engineering or other attacks to have the file executed. This presented a problem for attackers since they were forced to wait for the victim to reboot their machine or execute the file, which could take some time and therefore increase the chances of discovery and failure of the attack.
In some recent exploit developments, we observed that it is possible to utilize the "Microsoft Help and Support Center Viewer" application in conjunction with a file-overwrite or file-download issue to immediately execute a malicious file on a vulnerable computer. A typical attack scenario using this technique takes place like this:
1. An attacker creates a malicious Web page that uses an arbitrary file-overwrite issue to place their malicious binary on the victim's machine. The attacker then tricks their victim into visiting this page.
2. When the victim visits the page, the attacker exploits the same vulnerability to overwrite one of the Help and Support Center's HTML files, such as "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm." The attacker overwrites this file with script code that performs malicious actions on their behalf.
3. Once the previous steps have been carried out successfully the attacker redirects the victim's browser using the "window.location" method such as "window.location = hcp://system/sysinfo/sysinfomain.htm."
4. The Microsoft Help and Support Center viewer, which handles "hcp://" links, runs the attacker's script, which in turn executes their malicious binary.
What makes this attack remarkable is that because the Help and Support Center can run script commands in the context of the local user, attackers can utilize inherent ActiveX controls not marked as "Safe for Scripting" to execute a malicious binary that they have already placed on the vulnerable user's computer.
It's worth noting at this point that in order for this attack to be successful the user must be logged in with Administrator privileges. However, since the standard Windows XP setup on stand-alone systems often has Administrator privileges enabled, and most users don't follow best practices to set up a limited user for general use, this attack may be possible on a large number of machines.
The DeepSight Threat Analysis team has also created the following video which demonstrates an attack of this type:
