Archive of CERT general posting, CERT Advisory CA-2000-12

20/06/00, CERT Advisory CA-2000-12
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Advisory CA-2000-12
From: CERT Advisory <cert-advisory@cert.org>
Date: Mon, 19 Jun 2000 15:26:45 -0400 (EDT)
Organization: CERT(R) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CERT Advisory CA-2000-12 HHCtrl ActiveX Control Allows Local Files to be
Executed

   Original release date: June 19, 2000
   Last revised: --
   Source: CERT/CC
   
   A complete revision history is at the end of this file.
   
Systems Affected

     * Systems running Microsoft Internet Explorer
       
Overview

   The HHCtrl ActiveX control has a serious vulnerability that allows
   remote intruders to execute arbitrary code, if the intruder can cause
   a compiled help file (CHM) to be stored "locally." Microsoft has
   released a security bulletin and a patch for this vulnerability, but
   the patch does not address all circumstances under which the
   vulnerability can be exploited. This document discusses some of the
   additional ways in which this vulnerability can be exploited. Some
   common circumstances under which this vulnerability can be exploited
   are addressed by the Microsoft patch; others are not. Read this
   document carefully with your network configuration in mind to
   determine if you need to take any action. In recent discussions with
   the CERT/CC, Microsoft has indicated they do not plan to alter the
   patch.
   
I. Description

   The Microsoft Windows HTML help facility (part of Internet Explorer)
   is able to execute arbitrary programs through an embedded "shortcut"
   in a compiled HTML file. This allows the help system to start wizards
   and other programs as part of the help facility. Unfortunately, it
   also makes it unsafe for users to open help files obtained from
   untrusted sources.
   
   An attacker who can construct a malicious help file and place it in a
   location accessible by the victim may be able to cause this help file
   to be loaded and the embedded shortcuts executed without interaction
   from the victim. A malicious web site author may cause a compiled HTML
   help file to be opened through the Active Scripting showHelp call in
   Internet Explorer. Help files may also be opened in other environments
   that support Active Scripting, such as email messages in Outlook.
   
   The specific exploit described (and corrected) by Microsoft involves
   an attacker who makes the malicious help files available via a UNC
   share. The patch corrects this aspect of the problem by allowing help
   files to execute shortcuts only when "located on the user's local
   machine." More information about Microsoft's security bulletin and
   their patch is available from
   
   http://microsoft.com/technet/security/bulletin/ms00-037.asp
   http://microsoft.com/technet/security/bulletin/fq00-037.asp
          
Preconditions Required for Exploitation

   Unfortunately, the Microsoft patch does not address several
   significant ways in which the vulnerability can be exploited. The
   vulnerability can be exploited in any situation where all of the
   following conditions are met:
    1. The attacker must entice or compel a victim who has Active
       Scripting enabled to open an email message or visit a web page.
       Alternatively, the attacker could attempt to trick the victim into
       opening the compiled help file, such as by sending it as an
       attachment in an email message. Since it is not yet widely
       recognized that help files have the potential to be just as
       dangerous as an untrusted executable, this may not be difficult.
    2. The attacker must be able to place a malicious help file in a
       location accessible to the user when the Active Script is
       executed. The attacker must also be able to predict or guess the
       path to this file. If the patch described in Microsoft Security
       Bulletin MS00-037 has been applied, this file may not reside on a
       UNC share (\\hostname\path\file). That is, if the patch has not
       been installed, an intruder must be able to place a file anywhere
       that the victim can access it. If the patch has been installed,
       the intruder must be able to place a file anywhere that the victim
       can access it except on UNC shares.
    3. The Active Script mentioned above must run in a security zone that
       allows ActiveX controls to run and allows the scripting of
       controls that are marked "safe for scripting." The default
       security settings for the Internet Zone and the My Computer zone
       allow these actions to occur without warning prompts.
    4. The HHCtrl ActiveX control must be installed and be marked "safe
       for scripting" and "safe for initialization." This is the default
       configuration when Internet Explorer is installed.
       
   Note that all of these conditions, some of which are default
   conditions, must be met in order for an attacker to exploit this
   vulnerability. Changing some of these conditions may involve
   trade-offs between functionality and security.
   
   In recent discussions with the CERT/CC, Microsoft has not indicated
   any intention of changing the help system's behavior. Therefore, to be
   completely protected from exploitation of this vulnerability, users
   must eliminate one or more of the preconditions listed above.
   
   It is reasonable for a user to expect that simply visiting a web page
   is a safe activity, so eliminating the first precondition is
   difficult. Disabling Active Scripting or the execution of ActiveX
   controls prevents the vulnerability from being exploited, but it also
   prevents the normal operation of these features and is likely to
   affect the appearance and functionality of web pages. Removing the
   "safe for initialization" or "safe for scripting" attributes of the
   HHCtrl causes warning dialogs to be generated in a number of
   circumstances where they may not be expected.
   
How an Attacker May Create "Local" Files

   Although you may believe it is difficult or impossible for an intruder
   to place a file in a predictable location that is accessible to you,
   in fact, several common practices allow intruders to do just this.
   
   While preventing an attacker from downloading files on the local
   system without warning is a valuable security practice, it is not
   sufficient as the single line of defense against the execution of
   malicious code. The CERT/CC recommends adopting one of several more
   conservative solutions, including disabling ActiveX controls or Active
   Scripting. More information on these solutions are included in the
   Solution section of this document.
   
   If a site relies solely on limiting the attacker's ability to make
   malicious code accessible to the victim, the following activities are
   not safe:
     * Sharing files via a network filesystem such as AFS, DFS, NFS,
       Novell Netware, or Windows shares when users map these drives to
       local drive letters. When the drive letter is not predictable but
       the path to the file is, the attacker may be able to make multiple
       exploit attempts because failed calls to showHelp generate no
       error messages. Access control lists cannot be used to defend
       yourself against this problem because the ACL facility allows the
       intruder to give you access to malicious files they control
       without your consent.
     * Sharing physical disk drives in environments such as academic
       labs, Internet cafes, or libraries, where an attacker may be able
       to store malicious files in a writable local directory.
     * Using any of several products that automatically extract
       attachments from email messages and place them in predictable
       locations. A notable example of this is Eudora.
     * Using chat clients such as IRC-II, ICQ, or AOL Instant Messenger
       in modes that allow unsolicited file transfers to be placed in a
       local directory.
     * Hosting an anonymous FTP site, if the upload directory is
       accessible by local users.
       
   Without other solutions, engaging in any of these activities renders a
   site vulnerable to the problem described in this advisory.
   Additionally, several other vulnerabilities have been discovered
   recently whose impact was limited to the ability to download arbitrary
   files to the victim's system. If they are exploited in conjunction
   with this vulnerability, the impact is more significant, as discussed
   in the next section.
   
II. Impact

   By using the showHelp Active Scripting call in conjunction with
   shortcuts embedded in a malicious help file, attackers are able to
   execute programs and ActiveX controls of their choice. Since
   exploitation of the vulnerability requires an attacker to place a
   compiled help file (CHM) in a location accessible to the victim, it is
   usually trivial to include a malicious executable as well. In this
   situation, the attacker can take any action that the victim can.
   
   The essence of the problem is this:
   
   The ability for an intruder to make a file accessible to a victim
          running Internet Explorer is equivalent to the ability to
          execute arbitrary code on the victim's system if several common
          preconditions are met.
          
III. Solution

   The CERT/CC developed the information in the solution section based on
   our independent tests using primarily Internet Explorer 5 on Microsoft
   Windows NT 4.0 and Windows 2000. Your results will vary based on your
   particular configuration.
   
   For some sites, the patch provided by Microsoft is adequate. For
   others, particularly those sites using non-Microsoft networking
   products, the patch does not provide complete protection. You will
   need to understand your network's configuration prior to deciding
   which, if any, changes are appropriate.
   
Configure Outlook to read email in the Restricted Zone.

   Because an email message may start Internet Explorer automatically if
   Active Scripting is enabled, the CERT/CC encourages you to configure
   your Outlook email client to use the Restricted Zone, and to disable
   Active Scripting in this zone. This solution should be implemented in
   addition to one of the changes mentioned earlier.
   
   The steps for configuring Outlook to use the Restricted Zone are:
    1. Start Outlook as you normally would.
    2. From the Tools menu select Options.... The Options dialog box
       appears.
    3. Select the Security tab. The Security Options panel appears.
    4. In the Secure content section, change the pull-down menu from
       Internet to Restricted Sites.
    5. Click Apply to save your changes.
    6. Click OK to close the Options dialog box.
       
   We recommend similar steps for any other mail clients that support
   Active Scripting and Security Zones (or similar facilities to prevent
   the unwanted execution of scripts).
   
Disable Active Scripting and/or ActiveX controls in the Internet Zone.

   One way to prevent the exploitation of this vulnerability is to limit
   the functionality available to attackers through the security zone
   feature of Internet Explorer. The CERT/CC recommends this solution as
   a way to protect against the vulnerability while retaining as much
   functionality as possible in the help system.
   
   A security zone is a set of security settings applied to a web page
   based on the site the web paged originated from. By default, all sites
   are in the Internet Zone, and disabling functionality in this zone can
   protect you from attackers at all sites not associated with another
   zone.
   
   You may also need to reduce the settings in the Local Intranet Zone,
   if you do not trust all web sites within your DNS domain. In fact, the
   risk of exploitation by an inside attacker may be greater, since the
   ability to create a file accessible by you may be easier within a
   local area network.
   
   One or more of the following options must be changed in the
   appropriate zones to protect against the vulnerability:
     * The Active Scripting option
       Disabling Active Scripting is perhaps the best solution since it
       prevents the vulnerability from being exploited and doesn't
       present the user with warning dialogs. Setting this option to
       "Prompt" is not recommended, because the warning dialog will
       incorrectly imply that the action is safe, when in fact it is not.
     * The Run ActiveX controls and plug-ins option
       Disabling the execution of ActiveX controls is an option that
       protects against this vulnerability, but it also prevents plug-ins
       from executing normally. Since plug-ins for common applications
       such as Adobe Acrobat are included in this same category, setting
       the option to "Disable" results in significantly reduced
       functionality. For similar reasons, setting this option to
       "Prompt" is not recommended, because it is not always clear what
       the safe response should be.
       An excellent solution (but perhaps requiring more administrative
       effort) is to set this option to "Administrator approved". In this
       setting, only those ActiveX controls approved by the administrator
       (using the Internet Explorer Administration Kit) will be executed.
       If the administrator includes most controls but specifically
       excludes the HHCtrl control, there is an attractive balance
       between security and functionality. For more information regarding
       this option, see
       
        http://www.microsoft.com/Windows/ieak/en/support/faq/default.asp
                
     * The Script ActiveX controls marked safe for scripting option
       Disabling the scripting of ActiveX controls marked "safe for
       scripting" protects against this vulnerability but limits the
       normal operation of many controls used over the Internet. Setting
       this option to "Prompt" generates a warning dialog that is not
       strongly enough worded to reflect the danger inherent in the
       HHCtrl control.
       
   If all three of these options are set to "Enable", which is the
   default in the Internet Zone, this vulnerability may be exploited.
   Improving the security settings of any of these three options will at
   least cause a warning dialog to appear and may prevent the exploit
   entirely.
   
   Steps for changing your security zone settings for Internet Explorer 5
   on Windows NT 4.0 are:
    1. Start Internet Explorer as you normally would.
    2. From the Tools menu select Internet Options.... The Internet
       Options dialog box appears.
    3. Select the Security tab. The Security Options panel appears.
    4. Select the zone you wish to change. For most users, this is the
       Internet Zone, but depending on your circumstances, you may need
       to repeat these steps for the Local Intranet Zone as well.
    5. Click the Custom Level button. The Security Settings panel
       appears.
    6. Change one or more of the following settings based on the
       information provided earlier and your desired level of security.
         a. Set Run ActiveX controls and plug-ins to administrator
            approved, disable, or prompt.
         b. Set Script ActiveX controls marked safe for scripting to
            disable or prompt.
         c. Set Active scripting to disable or prompt.
    7. Click OK to accept these changes. A dialog box appears asking if
       you are sure you want to make these changes.
    8. Click Yes.
    9. Click Apply to save your changes.
   10. Click OK to close the Internet Options dialog box.
       
   Security zones can also be used to enable Active Scripting and ActiveX
   controls at specific sites where you wish to retain this
   functionality. To place a site in the Trusted Sites Zone using
   Internet Explorer 5.0 on Windows NT 4.0,
    1. Start Internet Explorer as you normally would.
    2. From the Tools menu select Internet Options.... The Internet
       Options dialog box appears.
    3. Select the Security tab. The Security Options panel appears.
    4. Select the Trusted Sites Zone.
    5. Click the Sites... button.
    6. Enter the name of the trusted site in the Add this Web Site to the
       zone: text box.
    7. Click the Add button.
    8. If a dialog box appears saying "Sites added to this zone must use
       the https:// prefix. This prefix assures a secure connection":
         a. Click OK.
         b. Add https:// to the beginning of the site name, and try to
            add the site again.
         c. Or uncheck the box at the bottom of the dialog box marked
            Require server verification (https:) for all sites in this
            zone. Making this change reduces the security of your system
            by not requiring certificate based authentication, relying
            instead on DNS based verification which could be misleading.
            The CERT/CC encourages you not to make this change unless you
            fully understand the implications. If you choose not to
            require certificate based verification, you may wish to
            reduce other security settings for the Trusted Sites Zone.
    9. Click OK to save the new list of sites.
   10. Click Apply to save your changes.
   11. Click OK to close the Internet Options dialog box.
       
   Steps for managing Security Zones in other versions of Windows and
   Internet Explorer are similar.
   
The "My Computer" Zone

   In addition to the four zones that are ordinarily visible, there is a
   fifth zone called the "My Computer" zone which is not ordinarily
   visible. Files on the local system are in the "My Computer" zone. You
   can examine and modify the settings in the "My Computer" through the
   registry. For more information, see
   
   http://support.microsoft.com/support/kb/articles/Q182/5/69.ASP
          
   The "My Computer" zone may also be managed through the Internet
   Explorer Administration Kit (IEAK).
   
   The CERT/CC does not recommend modifications to the "My Computer" zone
   unless you have unusual security requirements and a thorough
   understanding of the ramifications, including the potential for loss
   of functionality.
   
   Note, however, that if there is a vulnerability or condition that
   allows an attacker to create a file locally (such as through Eudora,
   for example) then this file will be subject to the security settings
   of the "My Computer" zone.
   
   Active Scripts on a web page or in a mail message will continue to be
   subject to the security settings of the zone where the web page or
   mail client resides. In this case, disabling Active Scripting in
   untrusted locations, including the Internet Zone, provides the best
   defense.
   
Change the attributes of the HHCtrl ActiveX control.

   Because the HHCtrl control is central to the exploitation of this
   vulnerability, removing either the "safe for scripting" or the "safe
   for initialization" attribute in the registry corrects the problem.
   Unfortunately, removing these attributes prevents some features of the
   help system from operating normally, even if the help file is opened
   through some other application.
   
   Implementing this solution will allow other ActiveX controls to
   function, including those referenced in Internet web pages. If you are
   unable to implement one of the solutions mentioned earlier, or you are
   willing to sacrifice help system features for more complete ActiveX
   functionality, then you may wish to consider this solution. This
   solution will provide warning dialogs when users open help files --
   both malicious and benign help files.
   
   To mark the HHCtrl ActiveX control as not "safe for scripting", remove
   this registry key:
   
   HKEY_CLASSES_ROOT\CLSID\ {ADB880A6-D8FF-11CF-9377-00AA003B7A11}\
          Implemented Categories\ {7DD95801-9882-11CF-9FA9-00AA006C42C4}
          
   To mark the HHCtrl ActiveX control as not "safe for initialization",
   remove this registry key:
   
   HKEY_CLASSES_ROOT\CLSID\ {ADB880A6-D8FF-11CF-9377-00AA003B7A11}\
          Implemented Categories\ {7DD95802-9882-11CF-9FA9-00AA006C42C4}
          
   Spaces in the keys listed above were added to improve HTML formatting
   and are not in the actual registry keys.
   
   Only one of the two changes need to be made in order to prevent the
   exploitation of this vulnerability. Either of these changes will
   result in additional warning dialogs when a user opens compiled help
   files with references to the HHCtrl control, even if the help file is
   part of legitimate locally installed software.
   
Avoid accessing filesystems writable by untrusted users.

   Because of the difficulty in implementing this solution correctly, the
   CERT/CC does not recommend relying on this solution. You may want to
   consider this solution only if you can implement it easily or if you
   have no other viable choices.
   
   Care should be taken with any mechanism that might allow an untrusted
   user to download or otherwise cause a file to be accessible to the
   victim. This includes, but is not limited to, network-based file
   sharing mechanisms (AFS, DFS, Netware, NFS, Windows shares) and mail
   delivery programs that automatically extract attachments.
   
   Also, if you choose to implement this solution, you need to be
   especially vigilant in your monitoring of security resources for
   information about new vulnerabilities that allow attackers to download
   files to your system. The impact of these vulnerabilities will be
   greater than if you had selected one of the solutions recommended
   above.
   
Appendix A. Vendor Information

Microsoft Corporation

   Microsoft recommends customers using Microsoft Internet Explorer
   version 4.0, 4.01, 5.0, or 5.01 apply the patch discussed in
   http://microsoft.com/technet/security/bulletin/ms00-037.asp and
   routinely use the Security Zones feature.
   
   The Security Zones feature of Internet Explorer allows you to
   categorize the web sites you visit and specify what the sites in a
   particular category should be allowed to do. Since most people visit a
   small number of familiar, professionally-operated web sites, and it's
   unlikely that such a site would pose any risk, we recommend putting
   the sites that you visit frequently and trust into the Trusted Zone.
   All sites that you haven't otherwise categorized will reside in the
   Internet Zone. You can then configure the zones to give the
   appropriate privileges to the web sites in each of these zones.
   
   In addition Microsoft recommends Outlook users install the Outlook
   Security Update
   http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm to
   protect against mail-borne attacks.
     _________________________________________________________________
   
   Thanks to Georgi Guninski, who originally discovered this
   vulnerability and who also provided input used in the development of
   this advisory.
     _________________________________________________________________
   
   Cory Cohen was the primary author of this document, with some text by
   Shawn Hernan.
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/advisories/CA-2000-12.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2000 Carnegie Mellon University.
   
   Revision History
June 19, 2000:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBOU5xg1r9kb5qlZHQEQIH+ACfcDrdNJV7Oc/tEl1HjcgJF/oYpu0AoOhd
WWbsM/x5SeRkUJsuxb2Y1AJj
=jOuw
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-2000-11
Next message sorted by date: CERT Advisory CA-2000-13
Previous message sorted by thread: CERT Advisory CA-2000-11
Next message by thread: CERT Advisory CA-2000-13
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jul 2000