Security Alert for XP users
This vulnerability allows the files
contained in any specified directory on your system to be deleted if
you click on a specially formed URL. This URL could appear anywhere:
sent in malicious e-Mail, in a chat room, in a newsgroup posting, on a
malicious web page, or even execute when your computer merely visits a
malicious web page.
MS Tracking ID: [MSRC 1198dg]
Date Reported: 25/06/02
Date Published: 15/08/02
Impact: Delete files through CSS condition in Help Center
Resolution: To be fixed in XP SP1
Tested Applications: IE6 + all service packs (to date of publishing)
Windows XP + all patches (to date of publishing)
Help Center (HelpCtr.exe v5.1.2600.0)
Information on the 'Help and Support
Center' may be obtained from MSDN at;
Quoting from the above URL;
"Help and Support Center is the unified Help introduced by Windows XP.
It is an exapanded version of the Help Center application (introduced
in Windows Millenium Editon), providing a wider breadth of content and
more features to access that content."
The application also registers the
pluggable protocol "hcp://", which may be used to launch the help
center from a web site. It is also used for navigation within the
center itself. The path and file specified in an URL when using the
hcp protocol may specify a file to open relative from the HELPCTR
directory. ie. The URL "hcp://system/sysinfo/msinfo.htm" will launch
the Help Center and open the file "%windir%\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm".
There are various
restrictions and exceptions, but this is the general idea.
It is important to note that the Help
Center will host the page with elevated priviliges, allowing the page
to script arbitrary controls with no prompts presented to the user.
The file (32,463 bytes);
Appears to be intended for use by the
Help Center to upload hardware/driver information collected on the
local machine for use in troubleshooting hardware issues. It also
contains the fraction of script;
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject"
oFSO.DeleteFile( sFile );
Where 'sFile' is derived from the
URL. The help center will load the uplddrvinfo.htm file and render it
with higher privileges, allowing such script to run without prompts
By using the 'hcp:' protocol, its
possible to launch this from a link. The filename can also include
wild cards. Thus, the following link will delete all files in the
'C:\windows\' directory when the launched window is closed. (normal
file permissions still apply as usual). Sub-directories are not
Microsoft have noted they intend to
roll the fix into SP1 for XP. I informed Microsoft I would be
publishing this advisory in mid August during correspondance (late
June) and received no objections.
Temporary solutions may be;
+ delete/move the uplddrvinfo.htm
+ edit the script of uplddrvinfo.htm to remove the offending code
+ unregister the hcp protocol handler
Ironically, the following 'exploit'
may also be used as a 'patch' for users running as admin with Windows
installed in C:\windows\.
!NOTE: This may delete the 'uplddrvinfo.htm'