CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts ~ Anti Virus Scan

Artifact Name

CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts

Attack Vector Category

Exploit

Description

Vulnerability in the helpctr.exe affects Microsoft Windows XP and Windows Server 2003. Exploitation allows remote attackers to bypass the trusted documents option and execute arbitrary commands using a crafted hcp:// URL.

Attack Description

The following is the sequence of the attack as described by the Seclist Full disclosure reference..

1. Using “an html page, email, document, or other application force a user to fetch an .asx file containing an HtmlView element”. Author mentioned this could be accomplished using the variable: var asx =http://something/something.asx. Also, the author mentioned Windows Media Player could be used in the attack.

2. “From the HtmlView element, invoke the hcp protocol handler that would normally require confirmation”. Author mentioned the hcp protocol can be invoked from within an iframe in an ASX HtmlView element.

3. “From the HCP Protocol handler, bypass the /fromhcp whitelist by using the string miscalculation”. Author mentioned to defeat the whitelist use the following string:

4. “Once the whitelist has been defeated, invoke a help document with a known” cross-site scripting vulnerability. Author mentioned one help document available in a default installation is system/sysinfo/sysinfomain.htm.

5. “Use the defer property of a script tag to execute script in a privileged zone”.

6. “Invoke an arbitrary command using the wscript.shell object”.

Exploits Tested

Metasploit v3.5 ms10_042_helpctr_xxs_cmd_exec

Target System Information

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with non-administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with non-administrative user account

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Tested Software Versions

Yes, different artifacts between Internet Explorer 7 and 8

Potential Artifacts

The potential artifacts include the CVE 2010-1885 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following five areas:
      * Artifact with references to the ASX and iframe variables
      * Artifacts associated with the files specified in the ASX and iframe variables being accessed
      * Folder of interest associated with the exploit
      * Artifacts associated with the hcp protocol
      * Artifacts associated with the Windows programs executed during the exploit

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

      * Artifact with references to the ASX and iframe variables located in a temporary folder
           - htm file located in a temporary folder [Temporary Internet Files folder]. Image below highlights the variables.

* Artifacts associated with the files specified in the ASX and iframe variables being accessed (the artifacts varied based on the version of Internet Explorer)
- ASX file located in a temporary folder [Temporary Internet Files folder]. This file invokes the hcp protocol handler through an iframe. In the image below, the iframe is located in the file named [c.html]. The ASX file line containing "REF href" mentions an image file [gif image] which is accessed by the Windows Media Player. This ASX file wasn’t present with Internet Explorer 7.

- htm file containing the iframe pointing to the hcp string located in a temporary folder [Temporary Internet Files folder]. In the image below, notice the iframe is referencing the sysinfo/sysinfomain.htm document which contains a cross site scripting vulnerability. The iframe is detected by VirusTotal as CVE-2010-1885 exploit.

- image file [gif image] located in a temporary folder [Temporary Internet Files folder] and files associated with Windows Media Player executing [Windows Media Player prefetch file and registry entries]. These artifacts weren’t present with Internet Explorer v7

- references to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed]. In the image below, the ASX filename is lk.asx, iframe is in the file named c.html, the image filename is t.gif, and 192.168.11.200 was the computer running the Metasploit exploit.

* Folder of interest associated with the exploit
- There was a lot of activity involving the helpctr folder [C:\WINDOWS\pchealth\helpctr]. The image below shows a portion of this activity involving files being accessed as well as a cache file being created.

* Artifacts associated with the hcp protocol
- Internet Explorer’s index.dat file recorded the activity of the hcp protocol. In the image below, notice the iframe located in the 7:18:05PM entry.

- Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder [C:\WINDOWS\pchealth\helpctr]. This was determined through a comparison of the files’ hashes and the arrows in the image below highlight two of those files.

* Artifacts associated with the Windows programs executed during exploit
- The following programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe. The Prefetch folder had files indicating the execution of these programs [C:/WINDOWS/Prefetch/VERCLSID.EXE-3667BD89.pf], [C:/WINDOWS/Prefetch/HELPCTR.EXE-3862B6F5.pf], and [C:/WINDOWS/Prefetch/HELPSVC.EXE-2878DDA2.pf].

Timeline View of Potential Artifacts

The images below shows above artifacts in a timeline created from the Windows XP SP3 Internet Explorer 8 with the administrative user account test system. However, this timeline doesn't include the Internet Explorer history entries.