MMC resource cross-site scripting vulnerability


Yorick Koster, August 2005

Abstract


Several resources from the mmcndmgr.dll shared library (on Windows 2000) contain a cross-site scripting vulnerability. When exploited from the local intranet zone, an attacker can execute arbitrary scripting code in the security context of the local computer zone.

Affected versions



This issue has been tested on Windows 2000 SP4 and Windows XP SP2 with the latest security updates applied. Only Windows 2000 SP4 is affected by this issue.

Fix


This issue was addressed by MS06-044.

res protocol


The res protocol can be used to load files from shared libraries. For example, the link below will load the file SERVBUSY.HTM from the C:\WINNT\System32\shdoclc.dll library.

res://C:\WINNT\System32\shdoclc.dll/SERVBUSY.HTM

When using res URLs, it is not required to enter a full path name for the shared library. It is also possible to only enter the name of the shared library containing the resource file. Windows will try to find the library using a pre-defined search strategy. For example:

res://shdoclc.dll/SERVBUSY.HTM

The following note can be found in the MSDN documentation about the res protocol:

"Note Internet Explorer 6 Service Pack 1 (SP1) no longer allows browsing a local machine from the Internet zone. For instance, if an Internet site contains a link to a local file, Internet Explorer 6 SP1 displays a blank page when a user clicks on the link. Previous versions of Internet Explorer followed the link to the local file."

Although this is true for the two links above, it is possible to load resource from libraries. This can be done by omitting the .dll part of the shared library. However, doing so will load the resource file in the Internet zone. For example:

res://shdoclc/SERVBUSY.HTM

Note that Windows XP SP2 does not have this restriction. Internet Explorer 6 on Windows XP will load res pages from the Internet zone. However, these res pages are always loaded in the Internet zone (as far as I am aware of).

MMC resource cross-site scripting


Windows 2000 comes with a shared library called mmcndmgr.dll, which is located in the system directory. Amongst other resources, this library contains the following files (these files are not available in mmcndmgr.dll shipped with Windows XP SP2):

   * JSPREV.JS
   * LOADSYM.HTM
   * LOADSYM12.HTM

The files JSPREV.JS and LOADSYM12.HTM contain the same cross-site scripting vulnerability. LOADSYM.HTM uses functions from JSPREV.JS and is therefore also affected. The vulnerability exists in the following piece of code:

function AddEOTStyle()
{
   // Strip out the initial hash "#" char
   var szHash = location.hash.substring(1);
   
   // Unescape the encoded hash
   szHash = unescape(szHash);
   
   // Get index of first delimiter
   var iDelimitLoc1 = szHash.indexOf("|");
   // Get index of last delimiter
   var iDelimitLoc2 = szHash.lastIndexOf("|");
   
   // Get the Unicode symbol string and store it in a global
   gszSymbol = szHash.substring(0, iDelimitLoc1);
   
   // Get the Font Family Name and store it in a global
   gszFontFamily = szHash.substring(iDelimitLoc1 + 1, iDelimitLoc2);
   
   // Get the URL to the EOT
   szURLtoEOT = szHash.substring(iDelimitLoc2 + 1);
   
   // Create style tag for EOT @font-face definition
   var szStyleDef = "<style>\n";
   szStyleDef += "@font-face\n";
   szStyleDef += "{\n";
   szStyleDef += "font-family:" + gszFontFamily + ";\n";
   szStyleDef += "src: url(" + szURLtoEOT + ");\n";
   szStyleDef += "}\n";
   szStyleDef += "</style>\n\n";
   
   
   return szStyleDef;
}


As can be seen, the gszFontFamily and szURLtoEOT variables contain data that comes from location.hash. Because of this, a remote attacker can set these variables and execute arbitrary scripting code in the security context of the res page.

res://mmcndmgr/LOADSYM.HTM#");</style><script>alert('Hello Word!'); </script>
res://mmcndmgr.dll/LOADSYM.HTM#");</style><script>alert('Hello Word!'); </script>

Impact


Exploiting this vulnerability from the Internet zone does not give an attacker additional privileges. The res page will also be loaded in the Internet zone and consequently so does the injected scripting code. Performing the same trick from the local intranet zone, does give the attacker additional privileges. On Windows 2000, the res page will be loaded in the local computer zone. This allows an attacker to execute arbitrary scripting code in the security context of the local computer zone.

Because of this, an attack will most likely be successful on large corporate networks. In combination with another vulnerability, it may also be possible to get into the local computer zone from the Internet zone.