Yes I checked out the script that called calc.exe, but from what I learn each month at my OWASP meetings about XSS and what really nefarious things that can be done to a system, calling a system executable is only the tip of the iceberg of the bad stuff that can happen on these.
Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Winzenz [mailto:[email protected]] Sent: Thursday, June 10, 2010 11:36 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day Have any of you checked out the examples of the exploit on the seclists.org site? It is innocuous - only spawns calc.exe, but it is a good example of what can be done with this exploit. Have already passed it on to my manager to see if we can get a gpo implemented. Thanks, James Winzenz ________________________________ Subject: RE: More pain on the Windows front, possible 0 day Date: Thu, 10 Jun 2010 11:01:26 -0400 From: [email protected] To: [email protected] I would also see phishing attacks with this type of exploit as the payload, along with others. Maybe they combine it with MPACK or Zues... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 10:19 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I would assume the primary method of exploitation would be through a crafted URL, delivered by whatever method your average virus writer chooses - email, IM, FaceBook, etc On 10 June 2010 15:09, David Lum <[email protected]> wrote: So I'm not clear...if someone clicks on "Help and Support" in 2003 / XP it's possible for them to get exploted because they might look for something and get redirected to a compromised site? I'm not clear...what would my users have to go to get exploited? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, June 10, 2010 6:46 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day What I am thinking if we don't have the spot in the registry, then maybe configuring your web filtering, to block all URL's or sequences that are calling HCP:// Per the seclist.org <http://seclist.org/> site the rogue html file had the following in it: $ cat starthelp.html <iframe src="hcp://..."> But this was shown accordingly; Few users rely on Help Centre urls, it is safe to temporarily disable them by removing HKCR\HCP\shell\open. This modification can be deployed easily using GPOs. For more information on Group Policy, see Microsoft's Group Policy site, here This is the exported registry per my XP SP3 system. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll,-2100" [HKEY_CLASSES_ROOT\HCP\shell] [HKEY_CLASSES_ROOT\HCP\shell\open] [HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then you can send save this .reg file for restoration procedures if needed. The following the directions in http://support.microsoft.com/kb/310516 Basically I believe it would look like the following for HCPfix.reg [-HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll,-2100" [-HKEY_CLASSES_ROOT\HCP\shell] [-HKEY_CLASSES_ROOT\HCP\shell\open] [-HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then do a test deploy with Startup GPO with the following as the script. HCPfix.cmd regedit.exe /s HCPFIX.reg http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx I haven't tried it, since I have HIPS at the workstation is a mitigation control, but for those who don't this might just be the workaround you are going to need before M$ puts out an OOB patch if they are going too. Depends on how many PCs you have at risk, how much privileges your users have and how much of a threat you believe them to be at against this exploit from the internet. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 9:14 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I think it is just for XP/2003, and it is the MS Help Center stuff It actually doesn't work properly on 2008, as far as I can tell - I was looking a bit too deep On 10 June 2010 14:08, David W. McSpadden <[email protected]> wrote: I don't have it as well but I am win7pro and I didn't install the HP help center software?? Maybe?? ________________________________ From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 8:38 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I can't find the protocol handler anywhere in HKCR? On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote: The article Susan linked had a mitigations section. The one I am most interested in was the temporary disabling of the hcp protocol handler in the registry. http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:23 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day My intial thought would be HIPS to block the helpctr from even being called, either that or stopping the help and support center service, and ACLing the helpctr.exe. But still waiting to see what comes up on the Security lists from Microsoft that Susan Bradley myself and others are on, for additional mitigation aspects. It is a unique exploit since it combines XSS with a hex obfuscation to bypass windows system controls. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:16 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day Saw this earlier on Patch Management...any word yet on workaround/mitigation to keep us sane until the inevitable OOB patch comes around? On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: http://www.theregister.co.uk/2010/06/10/windows_help_bug/ http://seclists.org/fulldisclosure/2010/Jun/205 Looks like a combination of XSS, and invoking the hcp protocol for help and support center to execute commands in the context of the logged on user. PS: Mad Props to Susan Bradley on the Patch Management list for putting this out.... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. Learn more. <http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL :ON:WL:en-US:WM_HMP:042010_1> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
