Security News

MS hcp-URL Cross Site Scripting (June 10, 2010)

By

Just one day after the busy Microsoft Patch Day in June with ten security bulletins fixing 34 vulnerabilities, a new Cross Site Script (XSS) issue is published disclosed by Tavis Ormandy. It can potentially lead to shellcode execution within the logged in user’s security context.

Microsoft Windows Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme “hcp”, a typical example is provided in the Windows XP Command Line Reference as bellow. Please refer to http://technet.microsoft.com/en-us/library/bb490918.aspx for details.

helpctr [/url [URL]] [/mode [URL]] [/hidden] [/fromstarthelp]

Help and Support Center application is by default installed in c:windowspchealthhelpctrbinaries with filename helpctr.exe in Windows XP SP2 and after. It can be passed by web browser with a HCP URL through its command line argument “/fromhcp”. This flag switches the help centre into a restricted mode, which will only permit a white-listed set of help documents and parameters.

The application is using a function “MPC::HTML::UrlUnescapeW()” to normalize the URL, which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters. However, the return code from MPC::HexToNum() is not well sanitized as required, which allows the unexpected garbage is returned to the standard string class variable. This error could allow an attacker evade the white-list detection mentioned before. On top of that, the hacker may take use of some web accessible documents to call the vulnerable function, and execute the encoded shellcode. An example of the document could be:

C:WINDOWSpchealthhelpctrSystemsysinfosysinfomain.htm

The SonicWALL UTM team has researched this vulnerability and created IPS signature to detect/prevent attacks exploiting this issue.

  • 4177 MS hcp-URL sysinfomain.htm XSS

This vulnerability is not referred by Common Vulnerabilities and Exposures (CVE) yet.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
RTF exploits in the wild
Playing Media Files Can Lead to Remote Code Execution in Linux
Trojan uses Rootkit remover tool to disable Anti-virus (Dec 1, 2011)
Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild.
DMA Locker 4.0, yet another ransomware (June 2nd, 2016)
Control Web Panel Remote Code Execution
Petya Ransomware encrypts the MBR (Mar 30, 2016)
Cloudatlas: an advanced persistent threat spreading in the wild