Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[PhatPhreddy]

OK this has just dropped my jaw to the floor.... XP is totally wide open to a very trivial exploit that anyone can put together in a minute or two and can be launched via email / webpage / etc...

It is my opinion (and I am not generally an MS basher) that this weakness comes at an all too convienient time for MS with the SP1 service pack not being possible with hacked XP serials...

I am quoteing from a thread BBQ has posted on AVS... As this is becoming publicised and as it is so easy any script kiddie can put this together in minutes expect to see this commonplace quickly...

http://www.avsforum.com/avs-vb/showthread.php?s=&postid=1342572#post1342572

This is the AVS thread and in it it links

Boot Camp: XP's Security Hole & Fix
http://origin.techtv.com/windows/th...0909c_165_0.asf
http://grc.com/default.htm

quote:
--------------------------------------------------------------------------------
Attention Windows XP Users
A little-known but critical vulnerability exists in Windows XP.
It has recently been repaired in Service Pack 1.

This vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon.

This vulnerability is so dangerous that it would be irresponsible for me to say more. Microsoft has known of this problem for months and has, inexplicably, done nothing before now. Although XP's Service Pack 1 is not small (approx 30 MB for express installation or 140 MB for the network install), and even though a much quicker and easier solution to this problem exists, the only thing I can safely recommend (without revealing too much) is to urge all XP users to somehow obtain and install Service Pack 1 immediately. (If you have a slow Internet connection, perhaps a friend can download the executable Service Pack file and burn it onto a CD for you?)

This problem does not affect any systems other than Windows XP. If you have any friends or co-workers running Windows XP, please urge them to update their systems' too. Once the details of this vulnerability have leaked through other channels I will provide additional information.
--------------------------------------------------------------------

[PhatPhreddy]

It gets worse... How easy is this exploit that can delete files and play havoc...

http://groups.google.com/groups?sel...w&output=gplain

quote:
--------------------------------------------------------------------------------
MS Tracking ID: [MSRC 1198dg]
Date Reported: 25/06/02
Date Published: 15/08/02
Vendor: Microsoft
Impact: Delete files through CSS condition in Help Center
Resolution: To be fixed in XP SP1
Tested Applications: IE6 |PLS| all service packs (to date of publishing)
Windows XP |PLS| all patches (to date of publishing)
Help Center (HelpCtr.exe v5.1.2600.0)


-----|Background:
-----------------

Information on the 'Help and Support Center' may be obtained from MSDN at;
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/pchealth/pc
health/help_and_support_center.asp

Quoting from the above URL;
"Help and Support Center is the unified Help introduced by Windows XP. It is
an exapanded version of the Help Center application (introduced in Windows
Millenium Editon), providing a wider breadth of content and more features to
access that content."

The application also registers the pluggable protocol "hcp://", which may be
used to launch the help center from a web site. It is also used for
navigation within the center itself. The path and file specified in an URL
when using the hcp protocol may specify a file to open relative from the
HELPCTR directory. ie. The URL "hcp://system/sysinfo/msinfo.htm" will launch
the Help Center and open the file
"%windir%\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm". There are various
restrictions and exceptions, but this is the general idea.

It is important to note that the Help Center will host the page with
elevated priviliges, allowing the page to script arbitrary controls with no
prompts presented to the user.


-----|Exploit:
--------------

The file (32,463 bytes);
%windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm

Appears to be intended for use by the Help Center to upload hardware/driver
information collected on the local machine for use in troubleshooting
hardware issues. It also contains the fraction of script;

var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" );
try
{
oFSO.DeleteFile( sFile );
}

Where 'sFile' is derived from the URL. The help center will load the
uplddrvinfo.htm file and render it with higher privileges, allowing such
script to run without prompts

By using the 'hcp:' protocol, its possible to launch this from a link. The
filename can also include wild cards. Thus, the following link will delete
all files in the 'C:\windows' directory when the launched window is closed.
(normal file permissions still apply as usual). Sub-directories are not
deleted.

hcp://system/DFS/uplddrvinfo.htm?file://c:\windows\*


-----|Resolution:
-----------------

Microsoft have noted they intend to roll the fix into SP1 for XP. I informed
Microsoft I would be publishing this advisory in mid August during
correspondance (late June) and received no objections.

Temporary solutions may be;

|PLS| delete/move the uplddrvinfo.htm file
|PLS| edit the script of uplddrvinfo.htm to remove the offending code
|PLS| unregister the hcp protocol handler

Ironically, the following 'exploit' may also be used as a 'patch' for users
running as admin with Windows installed in C:\windows\.

!NOTE: This may delete the 'uplddrvinfo.htm' file.
hcp://system/DFS/uplddrvinfo.htm?file://c:\windows\PCHEALTH\HELPCTR\System\D
FS\uplddrvinfo.htm


-----|Other issues:
-------------------

A brief look through some of the files and directories of PCHEALTH, the data
collection that is involved, and the support for sending files to Microsoft
and other 3rd parties, should open the Help Center to further investigation.
That, and it can open local files with elevated priviliges, similar to .chm
files in help.

Some other URLs I have seen with the Help Center which may be worth
investigating. Note that they haven't yet been shown to contain any
problems.

hcp://system/sysinfo/msinfo.htm?open=c:\x.nfo
causes MSinfo to try open x.nfo

hcp://system/sysinfo/msinfo.htm?print=1
causes MSInfo to print the info to the printer

hcp://system/sysinfo/msinfo.htm?any=x
causes MSInfo to hang

hcp://system/errors/offline.htm?URL=http://www.google.com
hcp://services/subsite?node=x&topic=http://www.google.com

Will open an arbitrary URL running under the 'Internet' zone. However the
page will have limited access to the 'pchealth' control
(CLSID:FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7), which it normally wouldn't.
Note that the 'dangerous' methods of this control seem to be blocked
however.

hcp://services/centers/errmsg
hcp://services/subsite?node=...&topic=about :injectedtext
hcp://services/redirect
hcp://services/centers/options
hcp://services/centers/support
hcp://services/centers/update
hcp://services/index
hcp://services/options
hcp://services/layout/contentonly
hcp://services/layout/xml
hcp://services/centers/homepage

Some virtual URLs which don't map directly to any files, though are taken
from a DLL. I haven't looked for problems with any of these pages.

There are also a lot of other files under
'%windir%\PCHEALTH\HELPCTR\System' which can be opened in the same manner
as 'uplddrvinfo.htm', though I haven't yet found any others which contain
similar script errors.

--------------------------------------------------------------------------------

[PhatPhreddy]

Sorry that that is off topic but I would belive this is important enough to want to make as many people as aware as possible...

Get SP1 now !!!

Spread this to all you know...

[Scronch]

Well, yeah, but, it has such pretty pink icons.

[ChicoSelfs]

But don't you know that users with XP serials cracked if they update to SP1 the XP don't work? Wrong! as usual the cracking comunnity found a simple way to bypass this.

[PhatPhreddy]

Yeah i never quite understood why it was such a big thing around SP1... I expected a better system than simply blacklisting the known keys... With XP KeyGens around I cant see why it porvides any difficulty at all...

The weakness above is still critical though... If you put one of those links above into an browser and 'go' with XP pre SP1 it deletes the entire /windows folder !!!

[ChicoSelfs]

Win 2000 here don't want XP, that thing after comes out to the market the hacker's found holes and more holes and to put a trojan in XP is child play. Keep Win 2000 until Microsomething present a real bullet proof OS.

[Mirko]

Why don't you all just put a "'" before the .DeleteFile-line?

Or you could do a simple msgbox around it to ask the user...

[DocLotus]

I downloaded SP1 for XP Pro on a 56k modem yesterday; it was 140 MB.  Microsoft said it should take apx 6 hours to download. Just like everything Microsoft says is only half true... it actually took around 12 hours.

I will say one thing, the download went without event... no disconnects, no errors.  The installation also went without problem.

One question… after the SP1 install, I now hear TWO startup music instead of just the normal one.  I had this problem on the original XP install.  It went away after a few XP updates but is now back.  Any ideas?

[ChicoSelfs]

It's from M$ ... nothing more to say.

[akak718]

The 2 startup sounds you hear may be because there is one for starting windows and another for logging in. Try turning off 1 or both from control panel.