|
|
|
|
| |
Microsoft Windows allows applications to use a standard method of displaying and handling help files. One of these methods is using the HTML help API. "The HTML Help application programming interface (API) enables a Windows program to create a help window that displays a help topic. The Windows program has complete control over the type, style, and position of the help window."
A privilege escalation vulnerability exists in the API allowing a local user to execute code with SYSTEM privileges. |
| |
Credit:
The information has been provided by Brett Moore
|
| |
The HTML help API consists of one function that an application uses to pass commands.
HWND HtmlHelp(
HWND hwndCaller,
LPCSTR pszFile,
UINT uCommand,
DWORD dwData) ;
When an application loads a help file using this function it passes the name of the file through the pszFile parameter. It appears that this function does not drop any privileges before invoking the help viewer.
If a SYSTEM level application uses this function to display a help file, the HTML help viewer will be running with SYSTEM rights.
Part of the help window consists of an instance of Internet Explorer that allows a user to browse the local drive. By selecting jump to URL from the window system menu, a user can enter a path name (c:\), right-mouse-click on a file and then select open with cmd.exe to be given a SYSTEM level command shell window.
Vulnerable programs:
From Brett Moore's testing, any application running at a higher security level that invokes HtmlHelp without dropping privileges is vulnerable. Brett Moore tested various Personal Firewall and Antivirus applications and found some to be vulnerable to this attack. Brett Moore found no 'default' windows applications vulnerable to this attack, but think that it is something that application developers need to be aware of.
Solutions:
1) The HTML help view (hh.exe) could be called externally passing the help file name as a parameter.
2) Security rights could be dropped through the use of system() or CreateProcess() functions.
3) CreateProcessAsUser() or Impersonate LoggedOnUser() could be used to control the rights that HtmlHelp executes with.
4) If an interactive window requires SYSTEM rights, its functionality should be limited to those functions requiring the higher level of privilege.
|
|
|
|
|
|
|
