mailing list archives
Delete arbitrary files using Help and Support Center [MSRC 1198dg]
From: "Shane Hird" <shird () dstc edu au>
Date: Thu, 15 Aug 2002 10:13:04 +1000
MS Tracking ID: [MSRC 1198dg]
Date Reported: 25/06/02
Date Published: 15/08/02
Impact: Delete files through CSS condition in Help Center
Resolution: To be fixed in XP SP1
Tested Applications: IE6 + all service packs (to date of publishing)
Windows XP + all patches (to date of publishing)
Help Center (HelpCtr.exe v5.1.2600.0)
Information on the 'Help and Support Center' may be obtained from MSDN at;
Quoting from the above URL;
"Help and Support Center is the unified Help introduced by Windows XP. It is
an exapanded version of the Help Center application (introduced in Windows
Millenium Editon), providing a wider breadth of content and more features to
access that content."
The application also registers the pluggable protocol "hcp://", which may be
used to launch the help center from a web site. It is also used for
navigation within the center itself. The path and file specified in an URL
when using the hcp protocol may specify a file to open relative from the
HELPCTR directory. ie. The URL "hcp://system/sysinfo/msinfo.htm" will launch
the Help Center and open the file
"%windir%\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm". There are various
restrictions and exceptions, but this is the general idea.
It is important to note that the Help Center will host the page with
elevated priviliges, allowing the page to script arbitrary controls with no
prompts presented to the user.
The file (32,463 bytes);
Appears to be intended for use by the Help Center to upload hardware/driver
information collected on the local machine for use in troubleshooting
hardware issues. It also contains the fraction of script;
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
oFSO.DeleteFile( sFile );
Where 'sFile' is derived from the URL. The help center will load the
uplddrvinfo.htm file and render it with higher privileges, allowing such
script to run without prompts
By using the 'hcp:' protocol, its possible to launch this from a link. The
filename can also include wild cards. Thus, the following link will delete
all files in the 'C:\windows\' directory when the launched window is closed.
(normal file permissions still apply as usual). Sub-directories are not
Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections.
Temporary solutions may be;
+ delete/move the uplddrvinfo.htm file
+ edit the script of uplddrvinfo.htm to remove the offending code
+ unregister the hcp protocol handler
Ironically, the following 'exploit' may also be used as a 'patch' for users
running as admin with Windows installed in C:\windows\.
!NOTE: This may delete the 'uplddrvinfo.htm' file.
A brief look through some of the files and directories of PCHEALTH, the data
collection that is involved, and the support for sending files to Microsoft
and other 3rd parties, should open the Help Center to further investigation.
That, and it can open local files with elevated priviliges, similar to .chm
files in help.
Some other URLs I have seen with the Help Center which may be worth
investigating. Note that they haven't yet been shown to contain any
causes MSinfo to try open x.nfo
causes MSInfo to print the info to the printer
causes MSInfo to hang
Will open an arbitrary URL running under the 'Internet' zone. However the
page will have limited access to the 'pchealth' control
(CLSID:FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7), which it normally wouldn't.
Note that the 'dangerous' methods of this control seem to be blocked
Some virtual URLs which don't map directly to any files, though are taken
from a DLL. I haven't looked for problems with any of these pages.
There are also a lot of other files under
'%windir%\PCHEALTH\HELPCTR\System\' which can be opened in the same manner
as 'uplddrvinfo.htm', though I haven't yet found any others which contain
similar script errors.
The opinions and findings expressed herein are my own, and do not
necessarily reflect those of my employer.
Shane Hird Research Scientist
Distributed Systems Technology Centre
- Delete arbitrary files using Help and Support Center [MSRC 1198dg] Shane Hird (Aug 15)