It Might Not Be A Vulnerability If…
There's some things that just aren't vulnerabilities. If the exploit starts with "First become admin…", it might not be a vulnerability. Likewise, if the exploit starts with "First, you steal the computer, boot a rogue operating system, and then, BWAHAHAHAHA…", it might not be a vulnerability.
Some of the things I've seen come through MSRC are just really bad. I recall one quite a while back where a "vulnerability" was reported in cmd.exe, where if you could get me to run a command line full of shell code, you could run arbitrary code. That's really working much too hard. If you can get me to run "net user 3v1lH4x0r K3wlR4dPwd! /add & net localgroup administrators 3v1lH4x0r /add, I'm toast, you win, game over.
This leads me to my personal anti-favorite not a vulnerability - .HLP files are equivalent to executables! Yep, if you put a bunch of shell code into my .hlp file, you're just really working too hard. I know this because back at ISS, in addition to being dev lead, PM, domain admin, 2nd tier tech support, and head Windows vuln check creator, I also did all or most of the help system for 3 or 4 releases. In old .HLP files, the way you extended them was by compiling up whatever you needed into a DLL, typically making the argument a string, and then inserted it into the help file as a 'macro'. These can run on load. If you had the old RoboHelp stuff, some of the default help files made with their system there for a while would ship a few extra binaries to make it do cool stuff. We used to have one to figure out where the browser was and launch it so people could find patches and other resources.
If you're even just a teeny bit evil, it might come to mind that you could make a help file that just used the system DLLs, and called something fun, like ShellExecute, or maybe system(), and it would be a totally legal help file that's operating by design. So if you're in the exploit finding business, please don't waste your time fuzzing .HLP files. It's really old code, and though you might find something, it won't get your name in lights, and it's a terribly inefficient way to hack people. It's really easier, and likely more productive, to just offer people chocolate in exchange for their passwords. BTW, don't think they're limited to just string arguments – if you are clever, you can call nearly any type of API, though pointers are hard.
If you're on the other side of the problem, it is probably a bad idea to let .hlp files come through e-mail, and don't run them unless you'd also trust the people who made the executable that they go with. A completely correct and well-formed HLP file is just as dangerous as an executable.
Comments
Anonymous
April 13, 2007
Does this explain why Windows Help (the viewer for .hlp files) was removed from Windows Vista? [dcl] I don't know. I wasn't part of that decision. It's a fundamentally insecure design, and it's time we retired it. It made sense in 1990...Anonymous
April 15, 2007
The comment has been removedAnonymous
April 16, 2007
This is true - if everyone is admin, it isn't so hard to get to be admin. This is why we have UAC - to try and get people back to where the security system can help them. Thanks for your comment!