The Symantec DeepSight ThreatAnalysis team recently observed an interesting attack developmentrelated to a known vulnerability type. This seemingly new techniqueallows attackers to execute a malicious payload immediately on avictim's system, where in the past they weren't able to achieve instantcode execution by exploiting such vulnerabilities. Publicexamples of this new attack typically employ file-overwrite andfile-download vulnerabilities in ActiveX controls to download amalicious file onto the target machine. In the past, attackers wereable to download files without much difficulty, but until recently theoptions for attackers seeking to have malicious programs executed on avictim's system were limited. In order to execute a malicious file onan affected computer, attackers generally needed to place the file inone of the load points such as the "Startup" directory in MicrosoftWindows, or use social-engineering or other attacks to have the fileexecuted. This presented a problem for attackers since they were forcedto wait for the victim to reboot their machine or execute the file,which could take some time and therefore increase the chances ofdiscovery and failure of the attack.In some recent exploitdevelopments, we observed that it is possible to utilize the "MicrosoftHelp and Support Center Viewer" application in conjunction with afile-overwrite or file-download issue to immediately execute amalicious file on a vulnerable computer. A typical attack scenariousing this technique takes place like this:1. Anattacker creates a malicious Web page that uses an arbitraryfile-overwrite issue to place their malicious binary on the victim'smachine. The attacker then tricks their victim into visiting this page.2. When the victim visits the page, the attacker exploits the samevulnerability to overwrite one of the Help and Support Center's HTMLfiles, such as"C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm." Theattacker overwrites this file with script code that performs maliciousactions on their behalf. 3. Once the previous steps havebeen carried out successfully the attacker redirects the victim'sbrowser using the "window.location" method such as "window.location =hcp://system/sysinfo/sysinfomain.htm." 4. The MicrosoftHelp and Support Center viewer, which handles "hcp://" links, runs theattacker's script, which in turn executes their malicious binary.
1. Anattacker creates a malicious Web page that uses an arbitraryfile-overwrite issue to place their malicious binary on the victim'smachine. The attacker then tricks their victim into visiting this page.2. When the victim visits the page, the attacker exploits the samevulnerability to overwrite one of the Help and Support Center's HTMLfiles, such as"C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm." Theattacker overwrites this file with script code that performs maliciousactions on their behalf. 3. Once the previous steps havebeen carried out successfully the attacker redirects the victim'sbrowser using the "window.location" method such as "window.location =hcp://system/sysinfo/sysinfomain.htm." 4. The MicrosoftHelp and Support Center viewer, which handles "hcp://" links, runs theattacker's script, which in turn executes their malicious binary.
Whatmakes this attack remarkable is that because the Help and SupportCenter can run script commands in the context of the local user,attackers can utilize inherent ActiveX controls not marked as "Safe forScripting" to execute a malicious binary that they have already placedon the vulnerable user's computer. It's worth noting at thispoint that in order for this attack to be successful the user must belogged in with Administrator privileges. However, since the standardWindows XP setup on stand-alone systems often has Administratorprivileges enabled, and most users don't follow best practices to setup a limited user for general use, this attack may be possible on alarge number of machines.The DeepSight Threat Analysis team has also created the following video which demonstrates an attack of this type: