Bugtraq mailing list archives
Re: IE: CHM Attacks are still alive (CHM attack without showHelp())
From: jelmer <jkuperus () planet nl>
Date: Fri, 05 Sep 2003 10:37:03 +0200
Arman, I tried this and set up a test with your code at http://ip3e83566f.speed.planet.nl/iran.htm It does nothing on my patched IE6 SP1 where where you testing on ? IE6 SP1 by default disallows access to local recources so this is exactly what it should do. As andreas pointed out, if you are using a different version of IE that doesn't do this, there is no risk as its not opened inside the help viewer It seems to me this is a non-issue. Andreas, Correct but I thought about it, and the adodb trick I posted about on full disclosure (http://www.mail-archive.com/full-disclosure () lists netsys com/msg06847.html ) can most likely be used since help files are located on the local filesystem and are opened in the local zone this should work I attached a test file that suggests that it probably would. This means you can get arbitrary execution of code if you somehow manage to xss a local chm file 241 CHM files in my c:\windows\help , have fun ----- Original Message ----- From: "Andreas Sandblad" <sandblad () acc umu se> To: "Arman Nayyeri" <arman-n () Phreaker net> Cc: <bugtraq () securityfocus com> Sent: Thursday, September 04, 2003 9:27 AM Subject: Re: IE: CHM Attacks are still alive (CHM attack without showHelp())
In order to use the shortcut command your code must be launched in HTML Help. Simply linking to contents inside a chm file with the mk: protocol will not do the trick since you are still operating inside IE. That is the reason why you didn't get the chm file to execute programs using the shortcut command. I believe MS successfully secured showHelp(...) to stop various attacks using the shortcut command (including Sandblad #10). /Andreas Sandblad On Tue, 2 Sep 2003, Arman Nayyeri wrote:!! R/\/\an#0001 !!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CHM Attacks are still alive =========================== Title: CHM Attacks are still alive Date: Tuesday, September 02, 2003 Software: IE (What a nice program!!!) Vendor: Microsoft Corp. (I love Microsoft) Patch: N/A Author: Arman Nayyeri, arman-n () Phreaker net Vendor Status: ============== Microsoft was not contacted, because I don't know email address of Microsoft. Description: ============ After releasing MS03-004 patch, it is still possible to execute a chm
file
without using of showHelp() command. We can use mk:@MSITStore to execute CHM files, but with some tricks. 1.first we must have an help window opened in order to chm file to work correctly. 2.We must open a window (or an iframe) that points to mk:@MSITStore:pathof.chm::/compiledhtmlfilewithinchm.html The first one is hard but easy with the help of the user. We can say to user to press F1 key then by using a onkeydown event go to step 2. As easy as this!!!!! The microsoft patch just stop showHelp() functionality but it is still possible. If you use a url for chm file ,it will open and show the content of file but do not execute programs without generating any errors. (I test it on one chm file ,you can try more, maybe its worked!) But in the case of sandblad #11 ,I can't produce it without showHelp(), and I need the help of Andreas. Andreas!, I believe that it will work, so try it!!. Exploit ======= As you can see, here is the simple javascript code that I write to
exploit
this. you must: 1.make a chm file and save it as c:\msit.chm (download free tool for making a chm file from http://go.microsoft.com/fwlink/?LinkId=14188 ) 2.remove all ! from script 3.create a html file and copy the code into that 4.open the html page and press F1 key (at the top left corner of your keyboard) (you may need to increase Timeout to allow the IE help to be opened) -------------------------------BEGINING OF
FILE---------------------------
<!h2>You should press "F1" key (at the top left corner of your keyboard) </h2> <!script> function gotKey(){ if (event.keyCode==112){ setTimeout( function () { document.write('<iframe id=I1 src="mk:@MSITStore:c:\\msit.chm::/page.html"></'+'iframe><br><h3>I Love IRAN<br>R/\/\an#0001</h3>'); }, 1194 ); } } document.onkeydown = gotKey; <!/script> ---------------------------------END OF
FILE------------------------------
Disclaimer: =========== Arman Nayyeri is not responsible for the misuse of the information provided in this advisory. The opinions expressed are my own and not of any company. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of
this
advisory. Any use of the information is at the user's own risk. Please Contact Me: ================== arman-n () Phreaker net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Arman Nayyeri MCP, MCSE 2000(in next two weeks) Semnan, IRAN (IRAN IS MY COUNTRY, I LOVE IRAN!!!)-- _ _ o' \,=./ `o (o o) -ooO--(_)--Ooo-
Attachment:
testing.zip
Description:
Current thread:
- IE: CHM Attacks are still alive (CHM attack without showHelp()) Arman Nayyeri (Sep 03)
- Re: IE: CHM Attacks are still alive (CHM attack without showHelp()) Andreas Sandblad (Sep 04)
- Re: IE: CHM Attacks are still alive (CHM attack without showHelp()) jelmer (Sep 06)
- Re: IE: CHM Attacks are still alive (CHM attack without showHelp()) Andreas Sandblad (Sep 04)