Windows Help used as attack surface
A bug in Microsoft's Help and Support Center can be exploited to remotely compromise a Windows system. All that is required for the bug to be exploited is for the user to visit a crafted website with Internet Explorer. The problem is caused by incorrect implementation of the whitelist function which Support Center uses to check whether a help document is from a permissible, trusted source. As well as being able to download help files from the internet (via the URL handler hcp://), Support Center is also able to launch local applications, such as remote support.
According to Tavis Ormandy, there is a bug in the routine for converting escape sequences to a complete URL (URL normalisation) and this can be used to get past the whitelist and pass a crafted URL. This makes it possible to execute programs on the vulnerable machine. An attacker could, for example, launch the FTP client in order to download and run a trojan from the web.
It's not quite that simple – Ormandy also makes use of other vulnerabilities and tricks in his demo exploit, which launches the calculator without user interaction. For one thing, when an hcp:// URL is called in Internet Explorer, a warning message ("Do you want to allow this website to open a program on your computer?") requiring user confirmation is displayed.
Ormandy gets around this by not opening the URL directly in the browser, but by using an ActiveX plug-in in Windows Media Player, which does not display a warning. Ormandy also utilises a cross-site scripting vulnerability in the sysinfomain.htm file to pass his commands to Support Center. Taken together, this yields a sophisticated exploit which in tests, performed by The H's associates at heise Security, opened the calculator on a fully-patched Windows XP SP3 system running Internet Explorer 8 and Windows Media Player. According to Ormandy, Windows Server 2003 is also affected. The exploit does not work under Windows 7 with IE8.
Ormandy is, however, confident that with a few tweaks his exploit would work on other versions of the operating system and could be made stealthier. He also notes that the browser is only one way of exploiting the vulnerability. Microsoft was informed of the vulnerability on 5th June. No patch is currently available. Ormandy has published the information now because he believes attackers will already have researched this vulnerability and that this is the best way of disseminating this information quickly.
As a workaround, Ormandy suggests stopping Support Center from downloading help files, for the purpose of which he provides (direct download zip file) a hotfix. Tests carried out by heise Security show that after installing the hotfix the exploit no longer works under Windows XP. There may, however, be cases where companies are reliant on the remote support function, and Ormandy suggests alternative configurations for such cases.
Ormandy, who also works for Google's security team, has previously attracted attention for several sophisticated exploits for hard to exploit vulnerabilities. Most recently he has discovered vulnerabilities in the Java Deployment Kit and the Windows Virtual DOS Machine.
- Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
- Java exploit launches local Windows applications
- Windows hole discovered after 17 years