Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise
Vulnerable
———-
– Microsoft Internet Explorer 6.0+
– Microsoft Windows XP Pro SP2
– Microsoft Windows XP Home SP2
Not Tested
————————
– Microsoft Windows 98
– Microsoft Internet Explorer 5.x
– Microsoft Windows 2003 Server
Severity
———
Highly Critical – Remote code execution possible.
Intro
——
Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. A very critical vulnerability has been developed that can compromise a user’s system without the need for user interaction
besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability.
Why has Microsoft still not patched two of these known vulnerabilities that have been out for almost a half of year now, is beyond mystery.
Tech Stuff and Explanation
————————–
1. Create a webpage with the following code:
sp2rc.htm
————————————————-
————————————————–
Explanation of above code:
————————–
The first object (id: localpage) tells hhctrl.ocx to open a help popup window to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. This file was chosen because it is treated as the local zone and it doesn’t have any script to mess us up. On some computers an error is shown before the popup. This is the user’s only chance to prevent the vulnerability from working. If internet explorer were to be closed at this point, the user would be safe.
The second object (id: inject) tells the help popup to navigate to a javascript protocol, which executes. Thus, cross site scripting has just
taken place. A script tag that uses a remote file is written to the page, and writehta.txt (below) is executed in the unsecured local zone.
In the script, HHClick is able to be used to automate the vulnerability. This is more effective than the previously described method of requiring a user to click on a button.
Vendor Recommendations
———————-
– Microsoft needs to apply XP Service Pack 2’s local zone lockdown to .HTA files and HTML Help
(chm) files as well.
– This might be a little farfetched, but it would solve a lot of problems:
Take out the startup folder and only support running files during startup through the registry. The startup folder is a major part of this vulnerability and I can almost guarantee it will be used for another remote compromise.
– Microsoft could possibly take HTA files out altogether. I have not seen them used for anything beyond hacking.
– No vulnerability is too small or too insignificant to be taken seriously.
Always treat every vulnerability as if it could be dangerous.
User Recommendations
———————
– Disable hta files.
– Get yourself antivirus software. I recommend Symantec because once they get their lazy asses off the couch and fix some of this stuff you will be a lot better off.
– Disable active scripting in Internet Explorer. If nothing else, do this.
– Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox
www.mozilla.org) OR use AVANT Browser.
