The full disclosure of a serious remote execute vulnerability in Microsoft Windows Help and Support Center has been published by Tavis Ormandy, a Google security researcher. As the exploit method is quite simple, I think that there would be targeted attacks taking advantage of this flaw.
This vulnerability originates from the HCP protocol processing in Windows Help and Support Center. HCP protocol supports opening a help file by executing URL. The execution of URLs which start with hcp:// is based on a “whitelist” of help files available on the computer, and this is still considered secure. However, a flaw in unescaping URLs can allow hacker to bypass this “whitelist authentication”. Accordingly, the links created by appendding special characters to a whitelisted URL can still be approved by Help Center.
Thus, it is possible to insert a string of characters into a link to a certain help file on the system to exploit XSS vulnerability, and then execute arbitrary code on the computer. File hcp://system/sysinfo/sysinfomain.htm contains XSS vulnerability which can be exploited to launch attacks. For example, users when opening the following link in their browsers will execute calc.exe files on their computers:
So, the exploit method is quite simple. Hacker sends the victim a link which exploits the vulnerability as mentioned above. When users click this link, the malicious code will be executed to download virus onto the system.
Details of whitelist bypass.
As illustrated, when helpctr.exe unescapes the above URL, %A% will be turned into 0xFF. Thus, it can bypass the whitelist authentication mechanism.
URL, after being unescaped, will be separated by the characters corresponding to 0xFF. The first part is a valid link, helping this URL to bypass the whitelist authentication mechanism. The second part is the exploit code taking advantage of XSS vulnerability.
This is a serious vulnerability, and it has a great impact on users. I think it is a hurry to publish the full disclosure of the vulnerability when Microsoft has not issued the patches. I myself also have experience working with Microsoft in fixing vulnerability. I only disclosed the vulnerability information after the patch was issued. In my case, it took Microsoft 6 months to release the patch.
Le Manh Tung
Senior Security Researcher