MS IE HTML Help Shortcut Vulnerability
BID:1033
Info
MS IE HTML Help Shortcut Vulnerability
| Bugtraq ID: | 1033 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 01 2000 12:00AM |
| Updated: | Mar 01 2000 12:00AM |
| Credit: | Posted to Bugtraq on March 1, 2000 by Georgi Guninski <[email protected]>. |
| Vulnerable: |
Microsoft Internet Explorer 5.0.1 for Windows NT 4.0 Microsoft Internet Explorer 5.0.1 for Windows 98 Microsoft Internet Explorer 5.0.1 for Windows 95 Microsoft Internet Explorer 5.0.1 for Windows 2000 Microsoft Internet Explorer 4.0.1 for Windows NT 4.0 Microsoft Internet Explorer 4.0.1 Microsoft Internet Explorer 5.0 for Windows NT 4 Microsoft Internet Explorer 5.0 for Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 Microsoft Internet Explorer 4.0 for Windows NT 4 Microsoft Internet Explorer 4.0 for Windows 95 Microsoft Internet Explorer 4.0 |
| Not Vulnerable: | |
Discussion
MS IE HTML Help Shortcut Vulnerability
The window.showHelp() method in Internet Explorer allows IE to open HTML help files (.chm). These files can contain shortcuts to executables which will be run at the privilege level of the current user. The .chm files cannot be opened via http, but a remote .chm file can be viewed if it is on any server with Microsoft Networking (including Samba) installed.
Therefore, an attacker can set up a webpage with a link pointing to a .chm file on any NetBios-enabled host. That .chm file can in turn be made to execute any program that is on the victim's machine or on any NetBios-enabled server.
It is also possible to get the .chm file onto the target host by sending it encapsulated in a .elm file. IE and Outlook Express will save .elm files in a known location (eg: the system TEMP directory in IE). These files can contain attachments, such as a .chm file.
Update (November 20, 2000): An attacker is able to discover the location of a Temporary Internet Files folder. Any cached .chm file can be executed by window.showHelp() once the path to a Temporary Internet Files folder is known.
The window.showHelp() method in Internet Explorer allows IE to open HTML help files (.chm). These files can contain shortcuts to executables which will be run at the privilege level of the current user. The .chm files cannot be opened via http, but a remote .chm file can be viewed if it is on any server with Microsoft Networking (including Samba) installed.
Therefore, an attacker can set up a webpage with a link pointing to a .chm file on any NetBios-enabled host. That .chm file can in turn be made to execute any program that is on the victim's machine or on any NetBios-enabled server.
It is also possible to get the .chm file onto the target host by sending it encapsulated in a .elm file. IE and Outlook Express will save .elm files in a known location (eg: the system TEMP directory in IE). These files can contain attachments, such as a .chm file.
Update (November 20, 2000): An attacker is able to discover the location of a Temporary Internet Files folder. Any cached .chm file can be executed by window.showHelp() once the path to a Temporary Internet Files folder is known.
Exploit / POC
MS IE HTML Help Shortcut Vulnerability
This demonstration by Georgi Guninski will start Wordpad:
http://www.nat.bg/~joro/chm3.html
This one will demonstrate how the .chm file can be placed on the local machine using a .eml file:
http://www.nat.bg/~joro/eml.html
This demonstration will display the physical path to a Temporary Internet Files folder and attempt to start Wordpad:
http://www.guninski.com/chmtempmain.html
This demonstration by Georgi Guninski will start Wordpad:
http://www.nat.bg/~joro/chm3.html
This one will demonstrate how the .chm file can be placed on the local machine using a .eml file:
http://www.nat.bg/~joro/eml.html
This demonstration will display the physical path to a Temporary Internet Files folder and attempt to start Wordpad:
http://www.guninski.com/chmtempmain.html
Solution / Fix
MS IE HTML Help Shortcut Vulnerability
Solution:
Microsoft has released the following patches to address this vulnerability. According to CERT/CC, the patch does not fully address all circumstances in which the vulnerability can be exploited. Please see http://www.cert.org/advisories/CA-2000-12.html for more details. The physical path disclosure detailed in the update under 'Discussion' is not addressed by this issue.
Microsoft Internet Explorer 4.0 for Windows NT 4
Microsoft Internet Explorer 5.0 for Windows 95
Microsoft Internet Explorer 4.0
Microsoft Internet Explorer 5.0 for Windows 98
Microsoft Internet Explorer 4.0 for Windows 95
Microsoft Internet Explorer 5.0 for Windows NT 4
Microsoft Internet Explorer 4.0.1 for Windows NT 4.0
Microsoft Internet Explorer 4.0.1
Microsoft Internet Explorer 5.0.1 for Windows 95
Microsoft Internet Explorer 5.0.1 for Windows 98
Microsoft Internet Explorer 5.0.1 for Windows 2000
Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
Solution:
Microsoft has released the following patches to address this vulnerability. According to CERT/CC, the patch does not fully address all circumstances in which the vulnerability can be exploited. Please see http://www.cert.org/advisories/CA-2000-12.html for more details. The physical path disclosure detailed in the update under 'Discussion' is not addressed by this issue.
Microsoft Internet Explorer 4.0 for Windows NT 4
Microsoft Internet Explorer 5.0 for Windows 95
Microsoft Internet Explorer 4.0
Microsoft Internet Explorer 5.0 for Windows 98
Microsoft Internet Explorer 4.0 for Windows 95
Microsoft Internet Explorer 5.0 for Windows NT 4
Microsoft Internet Explorer 4.0.1 for Windows NT 4.0
Microsoft Internet Explorer 4.0.1
Microsoft Internet Explorer 5.0.1 for Windows 95
Microsoft Internet Explorer 5.0.1 for Windows 98
Microsoft Internet Explorer 5.0.1 for Windows 2000
-
Microsoft Q259166_W2K_SP1_x86_en.EXE
W2K_SP1_x86_en
http://download.microsoft.com/download/ie501/Patch/1.0/NT5/EN-US/Q2591 66_W2K_SP1_x86_en.EXE
Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
References
MS IE HTML Help Shortcut Vulnerability
References:
References: