Microsoft Help and Support Center argument injection vulnerability

Overview

“Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics” (from www.microsoft.com). It can be accessed via HCP: URLs. HSC is installed by default on Windows XP and Windows Server 2003 systems.

An argument injection vulnerability in HSC allows an attacker to run arbitrary code when the victim opens a specially formatted HCP: URL. The user may be automatically directed to such URL when a web page is viewed. The issue can also be exploited via e-mail. Outlook (Express) with recent security fixes mitigates the e-mail vector so that automatic redirection can’t be done but some user interaction is required (clicking on a link).

Details

The HSC installation contains various HTML files, which of some are intended to be used by all web pages and some are intented for HSC’s internal use. The HTML files belong in the My Computer Zone because they require e.g. the ability to launch external helper programs with JavaScript.

By using quote symbols in the URL an attacker can pass arbitrary command line arguments to HelpCtr.exe, the program handling HCP URLs. Certain arguments allow the attacker to open any of the HSC’s HTML files instead of just the “public” ones. This allows an attacker to inject JavaScript code which will be run in the context of these HTML files. In this way the attacker can run scripts in the My Computer Zone, which can e.g. download an start an attacker-supplied EXE program.

By default, HCP ships with Windows XP and Windows 2003. An exploit was produced to test the vulnerability, and both operating systems were found vulnerable. The attack succeeds even with Windows 2003’s Enhanced Security Configuration enabled, because no ActiveX or Javascript is needed in Internet Explorer directly – the script is injected in HTML files opened by Help and Support Center, not Internet Explorer.

HSC isn’t included in Windows systems prior to XP, so default installations of the older OSes aren’t vulnerable.

Solution

Microsoft was contacted on November 5th, 2003. A patch has been produced to correct the vulnerability. Microsoft classifies the vulnerability in the highest severity category, critical.

Information about the patch can be found on Microsoft’s site.

Credits

The vulnerability was discovered and researched by Jouko Pynnönen (jouko@iki.fi), Finland.