1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Windows Help Center Cmd Exec

Web Attack: Windows Help Center Cmd Exec

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature will detect attempts to exploit a remote command execution vulnerability in Microsoft Windows Help Center.

Additional Information

Help and Support Center provides operating system help facilities that may be accessed via HCP URIs (hcp://). It is included in various Microsoft operating systems.

Microsoft Windows Help And Support Center is prone to a trusted document whitelist bypass vulnerability. This issue may allow remote untrusted attackers to access arbitrary help documents which may lead to various attacks.

Specifically, this issue arises due to a design error in the trusted document whitelist functionality used by the Help and Support Center. The whitelist functionality restricts untrusted sites from accessing arbitrary help documents by running Help and Support Center in a restricted mode where only a whitelist of help documents and parameters are accessible to the sites.

When an HCP URI is handled, the application normalizes and unescapes input and then the URIs are validated using the 'MPC::HTML::UrlUnescapeW()' function that calls the 'MPC::HexToNum()' to translate URI escape sequences into their original characters. The vulnerability presents itself because of the manner in which the 'MPC::HexToNum()' function handles error conditions. The 'MPC::HTML::UrlUnescapeW()' function does not check the return value of 'MPC::HexToNum()' function and leads to string miscalculations as unexpected data is appended to std::strings.

An attacker can exploit this issue by enticing a user into following a URI. Successful attacks can allow attackers to bypass the whitelist functionality and access arbitrary help documents. An attacker can combine this vulnerability with another issue such as the weakness described in BID 40721 (Microsoft Help and Support Center 'sysinfo/sysinfomain.htm' Cross Site Scripting Weakness) to execute arbitrary code on a vulnerable computer.

Note that this issue may cause Internet Explorer 8 and other browsers to launch a warning dialog box but this protection can be evaded by placing the attacker supplied link in a media file and supplying the file to a user through the browser which then launches Windows Media player and doesn't cause the warning dialog to be presented. Internet Explorer 7 and prior versions do not launch any dialog boxes when this issue is triggered.

This issue is reported to affect Windows XP and Windows Server 2003; other versions of Windows may be vulnerable as well.

Affected

  • Microsoft Windows XP Tablet PC Edition SP3
  • Microsoft Windows XP Tablet PC Edition SP2
  • Microsoft Windows XP Professional SP3
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows XP Media Center Edition SP3
  • Microsoft Windows XP Media Center Edition SP2
  • Microsoft Windows XP Home SP3
  • Microsoft Windows XP Home SP2
  • Microsoft Windows Server 2003 Web Edition SP2
  • Microsoft Windows Server 2003 Web Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Web Edition SP1
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2003 Standard Edition SP2
  • Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Standard Edition SP1
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Itanium SP2
  • Microsoft Windows Server 2003 Itanium SP1
  • Microsoft Windows Server 2003 Itanium 0
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
  • Microsoft Windows Server 2003 Enterprise Edition Itanium 0
  • Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition SP1
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
  • Microsoft Windows Server 2003 Datacenter Edition Itanium 0
  • Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition SP1
  • Microsoft Windows Server 2003 Datacenter Edition
  • 3DM Software Disk Management Software R2 Platfom SDK

Response

Download and install all vendor patches related to this vulnerability.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube