I successfully reproduced this exploit on a fully patched XPSP2 installation and can verify that malware.htm is planted locally after which HTML Help is used to launch it and circumvent the XPSP2 browser security improvements, compromising the system.
However, this exploit did not work on any systems with Qwik-Fix Pro installed, from Windows 95 to Windows XP Service Pack 2. A free Home edition and a trial Corporate edition is available for download at http://www.pivx.com/qwikfixDownload.asp Before you can successfully use any Drag'n'Drop technique or script shortcuts to plant a file on the local system you first need to be able to reference local content. If you cannot reference local contents or directories from the Internet zone then you cannot retrieve the window handle that is necessary for any Drag'n'Drop exploits or any cross-domain scripting exploits. IE6SP1 initially blocked all direct references to the FILE:// and RES:// protocols which I demonstrated how to circumvent through the OBJECT element. This was quickly patched in the next cumulative security update and thereby blocked the traditional cross-domain scripting exploits. XPSP2 went further and tightened down the Local Machine Zone with the recommendations PivX Labs made public in late 2003 so that even if you could find a way to reference local content and subsequently inject scripting through a cross-domain vulnerability you would not be able to accomplish anything. This LMZ lockdown has a per-process exception list in which HTML Help is included. When the LMZ is locked down attackers have to find alternative attack vectors, of which the Drag'n'Drop vulnerability is a prime example. When IE renders an IMG element it gives priority to the SRC attribute but when IE drops an IMG element on an arbitrary window it gives priority to the DYNSRC attribute. If you are able to reference any local content you can therefore drop the DYNSRC attribute of the IMG element on the window with local content and thereby plant a file on the file system in a known location. The browser security improvements in XPSP2 does not include further restrictions on referencing local content which is why the Drag'n'Drop exploits to this date affect fully patched XPSP2 systems. Qwik-Fix Pro restricts local content referencing through a number of means of which one is responsible for protecting against this exploit: In order for http-equiv's exploit to work the "ceegar.html" file uses the AnchorClick behavior to open "C:\WINDOWS\PCHealth\" in a named window which is then used as a drop target for the DYNSRC pointing to the "malwarez" file. When any behavior in IE tries to list a local directory it uses the Shell.Explorer ActiveX object, an object which has no justification of use inside the browser but which is heavily used by Windows Explorer itself. Setting the Kill Bit on the Shell.Explorer ActiveX object prevents IE from referencing local directories in a window object, whether it's through AnchorClick behavior or some other approach that we discover tomorrow. The GUID for Shell.Explorer is {8856F961-340A-11D0-A96B-00C04FD705A2} and Knowledge Base article 240797 (http://support.microsoft.com/?kbid=240797 ) explains how the process works. PivX Labs released a freely available registry fix that sets the Kill Bit on Shell.Explorer almost 2 months ago which can be downloaded from http://www.pivx.com/research/freefixes/neutershellexplorer.reg For clarity, here are the file contents: === neutershellexplorer.reg === Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}] "Compatibility Flags"=dword:00000400 === neutershellexplorer.reg === PivX Labs has covered this topic several times before on the Unpatched mailing list which receives advance notification of our security research, including several Win95-XPSP2 vulnerabilities that will be released in the interim future. For more information or to subscribe you can visit http://unpatched.pivxlabs.com Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 5:36 AM To: [EMAIL PROTECTED] Subject: How to Break Windows XP SP2 + Internet Explorer 6 SP2 Snip http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0410&L=ntbugtraq &F=P&S=&P=10781 Snip http://tinyurl.com/4xeww _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html