Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IE: CHM Attacks are still alive (CHM attack without showHelp())
From: Andreas Sandblad <sandblad () acc umu se>
Date: Thu, 4 Sep 2003 09:27:50 +0200 (CEST)

In order to use the shortcut command your code must be launched
in HTML Help. Simply linking to contents inside a chm file with the
mk: protocol will not do the trick since you are still operating inside
IE. That is the reason why you didn't get the chm file to execute
programs using the shortcut command.

I believe MS successfully secured showHelp(...) to stop various attacks
using the shortcut command (including Sandblad #10).

/Andreas Sandblad

On Tue, 2 Sep 2003, Arman Nayyeri wrote:

                              !! R/\/\an#0001 !!

CHM Attacks are still alive
Title:    CHM Attacks are still alive
Date:     Tuesday, September 02, 2003
Software: IE (What a nice program!!!)
Vendor:   Microsoft Corp. (I love Microsoft)
Patch:    N/A
Author:   Arman Nayyeri, arman-n () Phreaker net

Vendor Status:
Microsoft was not contacted, because I don't know email address of


After releasing MS03-004 patch, it is still possible to execute a chm file
without using of showHelp() command.
We can use mk:@MSITStore to execute CHM files, but with some tricks.

1.first we must have an help window opened in order to chm file to work

2.We must open a window (or an iframe) that points to

The first one is hard but easy with the help of the user.
We can say to user to press F1 key then by using a onkeydown event go to
step 2.
As easy as this!!!!!
The microsoft patch just stop showHelp() functionality but it is still
If you use a url for chm file ,it will open and show the content of file
but do not execute programs without generating any errors. (I test it on
one chm file ,you can try more, maybe its worked!)
But in the case of sandblad #11 ,I can't produce it without showHelp(),
and I need the help of Andreas.
Andreas!, I believe that it will work, so try it!!.

As you can see, here is the simple javascript code that I write to exploit
you must:
1.make a chm file and save it as c:\msit.chm (download free tool for
making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 )
2.remove all ! from script
3.create a html file and copy the code into that
4.open the html page and press F1 key (at the top left corner of your
(you may need to increase Timeout to allow the IE help to be opened)

-------------------------------BEGINING OF FILE---------------------------
<!h2>You should press "F1" key (at the top left corner of your keyboard)
function gotKey(){
if (event.keyCode==112){
        function () {
         document.write('<iframe id=I1
src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love
document.onkeydown = gotKey;
---------------------------------END OF FILE------------------------------

Arman Nayyeri is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
advisory. Any use of the information is at the user's own risk.

Please Contact Me:
arman-n () Phreaker net

Arman Nayyeri
      MCP, MCSE 2000(in next two weeks)


    _     _
  o' \,=./ `o
     (o o)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]