[Am-info] Internet Explorer showHelp() Restriction Bypass Vulnerability

[Fred Miller]

Internet Explorer showHelp() Restriction Bypass Vulnerability

CRITICAL:
Moderately critical

IMPACT:
Security Bypass

WHERE:
=46rom remote

SOFTWARE:
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01

DESCRIPTION:
Arman Nayyeri has discovered a variant of the older showHelp() zone
bypass vulnerability, which works in Internet Explorer with all
current patches.

Websites can call the showHelp() function and open locally installed
"CHM" files, which are compressed help files. These may contain
references to system commands and can execute code with the
privileges of the logged in user.

Normally, it isn't a problem that Internet Explorer allows websites
to open locally installed "CHM" files as they are considered trusted.


However, other files can be treated as "CHM" files by using a special
syntax with a double ":" appended to the file name combined with a
directory traversal using the "..//" character sequence.

This can be exploited if a program such as WinAmp, XMLHTTP, ADODB
stream or others allow websites to place files in a known location.

An example exploit has been published, which is capable of running
arbitrary code on the system if WinAmp is installed in the default
location.

The vulnerability has been confirmed in fully patched Internet
Explorer 6 with WinAmp 5 installed.

SOLUTION:
Disable active scripting support and enable it only for trusted
sites.

=46ilter HTML pages with references to "showHelp()" using a HTTP proxy
or firewall with content filtering capabilities.

Use another product.

PROVIDED AND/OR DISCOVERED BY:
Arman Nayyeri

OTHER REFERENCES:
The old Internet Explorer showHelp() function vulnerability
(SA8004):
http://www.secunia.com/advisories/8004/

=2D-=20
"...Linux, MS-DOS, and Windows XP (also known as the Good, the Bad, and
the Ugly)."