Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: IE: CHM Attacks are still alive (CHM attack without showHelp())
From: jelmer <jkuperus () planet nl>
Date: Fri, 05 Sep 2003 10:37:03 +0200

Arman,

I tried this and set up a test with your code at
http://ip3e83566f.speed.planet.nl/iran.htm
It does nothing on my patched IE6 SP1 where where you testing on ?
IE6 SP1 by default disallows access to local recources so this is exactly
what it should do.
As andreas pointed out, if you are using a different  version of IE that
doesn't do this, there is no risk as its not opened inside the help viewer
It seems to me this is a non-issue.

Andreas,

Correct but I thought about it, and the adodb trick I posted about on full
disclosure
(http://www.mail-archive.com/full-disclosure () lists netsys com/msg06847.html 
) can most likely be used

since help files are located on the local filesystem and are opened in the
local zone this should work I attached a test file that suggests that it
probably would.
This means you can get arbitrary execution of code if you somehow manage to
xss a local chm file

241 CHM files in my c:\windows\help , have fun


----- Original Message ----- 
From: "Andreas Sandblad" <sandblad () acc umu se>
To: "Arman Nayyeri" <arman-n () Phreaker net>
Cc: <bugtraq () securityfocus com>
Sent: Thursday, September 04, 2003 9:27 AM
Subject: Re: IE: CHM Attacks are still alive (CHM attack without showHelp())


In order to use the shortcut command your code must be launched
in HTML Help. Simply linking to contents inside a chm file with the
mk: protocol will not do the trick since you are still operating inside
IE. That is the reason why you didn't get the chm file to execute
programs using the shortcut command.

I believe MS successfully secured showHelp(...) to stop various attacks
using the shortcut command (including Sandblad #10).

/Andreas Sandblad

On Tue, 2 Sep 2003, Arman Nayyeri wrote:



                              !! R/\/\an#0001 !!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CHM Attacks are still alive
===========================
Title:    CHM Attacks are still alive
Date:     Tuesday, September 02, 2003
Software: IE (What a nice program!!!)
Vendor:   Microsoft Corp. (I love Microsoft)
Patch:    N/A
Author:   Arman Nayyeri, arman-n () Phreaker net


Vendor Status:
==============
Microsoft was not contacted, because I don't know email address of
Microsoft.


Description:
============

After releasing MS03-004 patch, it is still possible to execute a chm
file
without using of showHelp() command.
We can use mk:@MSITStore to execute CHM files, but with some tricks.

1.first we must have an help window opened in order to chm file to work
correctly.

2.We must open a window (or an iframe) that points to
mk:@MSITStore:pathof.chm::/compiledhtmlfilewithinchm.html

The first one is hard but easy with the help of the user.
We can say to user to press F1 key then by using a onkeydown event go to
step 2.
As easy as this!!!!!
The microsoft patch just stop showHelp() functionality but it is still
possible.
If you use a url for chm file ,it will open and show the content of file
but do not execute programs without generating any errors. (I test it on
one chm file ,you can try more, maybe its worked!)
But in the case of sandblad #11 ,I can't produce it without showHelp(),
and I need the help of Andreas.
Andreas!, I believe that it will work, so try it!!.

Exploit
=======
As you can see, here is the simple javascript code that I write to
exploit
this.
you must:
1.make a chm file and save it as c:\msit.chm (download free tool for
making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 )
2.remove all ! from script
3.create a html file and copy the code into that
4.open the html page and press F1 key (at the top left corner of your
keyboard)
(you may need to increase Timeout to allow the IE help to be opened)

-------------------------------BEGINING OF
FILE---------------------------
<!h2>You should press "F1" key (at the top left corner of your keyboard)
</h2>
<!script>
function gotKey(){
if (event.keyCode==112){
setTimeout(
function () {
   document.write('<iframe id=I1
src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love
IRAN<br>R/\/\an#0001</h3>');
},
1194
);
}
}
document.onkeydown = gotKey;
<!/script>
---------------------------------END OF
FILE------------------------------


Disclaimer:
===========
Arman Nayyeri is not responsible for the misuse of the information
provided in this advisory. The opinions expressed are my own and not of
any company. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this
advisory. Any use of the information is at the user's own risk.


Please Contact Me:
==================
arman-n () Phreaker net


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Arman Nayyeri
MCP, MCSE 2000(in next two weeks)

Semnan, IRAN (IRAN IS MY COUNTRY, I LOVE IRAN!!!)


-- 
    _     _
  o' \,=./ `o
     (o o)
-ooO--(_)--Ooo-

Attachment: testing.zip
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault