[NT] Microsoft MSHTA Script Execution Vulnerability

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft MSHTA Script Execution Vulnerability
------------------------------------------------------------------------


SUMMARY

Microsoft HTML Application Host is "a standard process of the Windows 
operating system. It performs some useful functions and manages the 
performance of some of the third-party software. Usually it starts and 
terminates automatically. Microsoft HTML Application Host (MSHTA) is part 
of the Microsoft Windows operating system and is needed to execute .HTA 
files".

Remote exploitation of a design error vulnerability in Microsoft Windows 
operating system allows attackers to execute arbitrary script code from a 
non-executable object.

DETAILS

Vulnerable Systems:
 * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 
Service Pack 4.
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service 
Pack 2.
 * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium).
 * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium).
 * Microsoft Windows Server 2003.
 * Microsoft Windows Server 2003 for Itanium-based Systems.
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (ME).

Immune Systems:
 * Microsoft Windows Server 2003 Service Pack 1.
 * Microsoft Windows Server 2003 with SP1 for Itanium-based Systems.
 * Microsoft Windows Server 2003 x64 Edition.
 * Microsoft Windows XP Professional x64 Edition.

Various files, such as a Microsoft Word documents will be opened by the 
appropriate program even if they are renamed with an unknown extension. 
The reason for this is that the CLSID of the Microsoft Word program is 
stored within the OLE2 document. The CLSID of a given file can be 
manipulated to specify that another program should handle the opening of 
the file. The CLSID is located after the Unicode string "Root Entry" as 
seen in the following excerpt:

b800h: 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 R.o.o.t. .E.n.t.
b810h: 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 r.y.............
b820h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b830h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b840h: 16 00 05 01 FF FF FF FF FF FF FF FF 03 00 00 00 ....        ....
b850h: 06 09 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 ........ ......F

In the above example, the CLSID {00020906-0000-0000-C000-000000000046}, 
can be found at the hex offset 0xb850 from above. An attacker can execute 
arbitrary script code from a seemingly non-executable object by appending 
script code to the end of a file and modifying the CLSID to be that of the 
Microsoft HTML Application Host (MSHTA). The MSHTA CLSID can be found in 
the Windows Registry. This attack works because MSHTA.EXE will completely 
scan the file passed in as an argument in search of script code. If found, 
the code will be executed. While the given example is built on 
modifications to a Microsoft Word document, it is important to note that 
this vulnerability is not Word specific or dependant and in fact can not 
manifest in Word documents containing a handled file extension.

Workaround:
Removing the associated CLSID for MSHTA from system registry prevents 
exploitation of the described vulnerability:
HKEY_CLASSES_ROOT\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}

This key should be backed-up before removal. Please note that removing 
this key may cause other problems. Preliminary testing shows that the key 
is not necessary for regular system usage.

Vendor Status:
This vulnerability is addressed in Microsoft Security Bulletin MS05-016 
available at:
 <http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0063> 
CAN-2005-0063

Disclosure Timeline:
 * 11.02.04 - Initial vendor notification
 * 11.02.04 - Initial vendor response
 * 04.12.05 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=231&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=231&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.