(Vendor Issues Fix) Microsoft Internet Explorer showHelp() '\..\' Directory Traversal Flaw Lets Remote Users Execute Files on the Target System
|
|
SecurityTracker Alert ID: 1010689 |
|
SecurityTracker URL: http://securitytracker.com/id/1010689
|
|
CVE Reference:
CAN-2003-1041
(Links to External Site)
|
Date: Jul 13 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 6.0 and prior versions
|
Description:
A vulnerability was reported in Microsoft Internet Explorer in the showHelp() function. A remote user can execute arbitrary files on the target system.
Arman Nayyeri reported that a remote user can create HTML that exploits a directory traversal flaw in the showHelp() implementation to execute arbitrary specified 'chm' files on the target system. The files will run in the Local Computer security zone with the privileges of the target user.
A demonstration exploit method for running 'chm' files located on the system drive is provided:
showHelp("mk:@MSITStore:iexplore.chm::..\\..\\..\\..\\chmfile.chm::/fileinchm.html");
According to the report, the target 'chm' file is not required to have a '.chm' file extension if the double colon string ('::') is used in the showHelp() call.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute known compiled help files (chm files) on the target user's system.
|
Solution:
The vendor has issued the following fixes:
For Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3F2F1A7D-5CF2-4791-A7EE-07F20F75796C&displaylang=en
For Microsoft Windows XP and Microsoft Windows XP Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B412C7F-44AD-4E77-8973-FD3E84CC496A&displaylang=en
For Microsoft Windows XP 64-Bit Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0042DB67-C58B-412C-A24F-9D2AA8071897&displaylang=en
For Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en
For Microsoft Windows Server 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B53C35D-E9ED-46AD-936C-30C8E3A7E606&displaylang=en
For Microsoft Windows Server 2003 64-Bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en
For Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me), see the FAQ section of the vendor bulletin for details about these operating systems:
http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx
For Internet Explorer 6.0 Service Pack 1 when installed on Windows NT 4.0 SP6a (Workstation, Server, or Terminal Server Edition):
http://www.microsoft.com/downloads/details.aspx?FamilyId=18D026D3-3D93-4845-94AD-4F2656500D7A&displaylang=en
The vendor plans to include this fix as part of Windows Server 2003 Service Pack 1, Windows XP Service Pack 2, and Windows 2000 Service Pack 5.
A restart may be required.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms04-023.mspx (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 13 Jul 2004 14:55:16 -0400
Subject: http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx
|
Microsoft Security Bulletin MS04-023
Vulnerability in HTML Help Could Allow Code Execution (840315)
Microsoft® Windows®
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Microsoft warns that althought Windows NT Workstation 4.0, Windows NT Server 4.0 and
Windows NT 4.0 Terminal Server Edition are not affected by default, if you have installed
Internet Explorer 5.5 Service Pack 2 or Internet Explorer 6.0 Service Pack 1, then you
will have the vulnerable component on your system.
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft
Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3F2F1A7D-5CF2-4791-A7EE-07F20F75796C&displaylang=en
Microsoft Windows XP and Microsoft Windows XP Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B412C7F-44AD-4E77-8973-FD3E84CC496A&displaylang=en
Microsoft Windows XP 64-Bit Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0042DB67-C58B-412C-A24F-9D2AA8071897&displaylang=en
Microsoft Windows XP 64-Bit Edition Version 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en
Microsoft Windows Server™ 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8B53C35D-E9ED-46AD-936C-30C8E3A7E606&displaylang=en
Microsoft Windows Server 2003 64-Bit Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=DF0C5C4E-D986-4AD5-95E0-E87106D7C019&displaylang=en
For Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows
Millennium Edition (Me), see the FAQ section of the vendor bulletin for details about
these operating systems:
http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx
For Internet Explorer 6.0 Service Pack 1 when installed on Windows NT 4.0 SP6a
(Workstation, Server, or Terminal Server Edition):
http://www.microsoft.com/downloads/details.aspx?FamilyId=18D026D3-3D93-4845-94AD-4F2656500D7A&displaylang=en
|
|
