[windows2000] Article

• From: "Greg Reese" <GReese@xxxxxxxxxxxxxxxx>
• To: <windows2000@xxxxxxxxxxxxx>
• Date: Fri, 13 Sep 2002 11:36:34 -0400

I found this at the Register's US site.  I know many of you don't care =
for the register but it is an interesting article anyway.  It deals with =
a exploit in Windows XP that could cause an entire hardrive to be wiped =
clean.  Sounds rather scary to me.

Greg

From The Register US:

http://www.theregus.com/content/4/26272.html

Win-XP Help Center request wipes your HD=20
By Thomas C Greene in Washington <mailto:tcgreene@xxxxxxxxxxxxxxxx>=20
Posted: 09/11/2002 at 08:28 EST
A malicious Win-XP Help Center request can easily and silently delete =
the contents of any directory on your Windows machine, we've learned. =
Worse, MS has rolled the fix silently into SP1 without making a public =
announcement. A good sketch of the problem in English, along with a =
harmless self-test, can be found here =
<http://24.78.2.184/helpcenter.htm>, thanks to Mike at =
http://unity.skankhouse.org, who did some tinkering after noticing a tip =
on a BBS.=20

Another, slightly earlier, mention comes from VSAntivirus =
<http://www.vsantivirus.com/xp-files-del.htm>, but the page, =
unfortunately, is en espa=F1ol, though there are some handy screen shots =
in their bulletin.=20

The hole was discovered by Shane Hird of Distributed Systems Technology =
Centre, who first reported it to MS on 25 June 2002. His bulletin =
<http://www.security.nnov.ru/search/document.asp?docid=3D3370>, dated 15 =
August, offers the most detailed view of the problem. He suggests that =
fellow bug hunters look more deeply into the Help Center and its =
mysterious powers, since requests can remotely open files with elevated =
privileges. He offers a few hints about where one might start probing.=20

To verify the exploit all you need to do is pop the following request =
into any address bar (IE, Win Explorer, etc): =
hcp://system/DFS/uplddrvinfo.htm?file://c:\test\* and the directory =
'test' will be emptied after a couple of Help Center 'wizard' pages pop =
up uselessly to distract you.=20

The example works as advertised, so anyone wanting to play with it =
should create a test directory with copies of files. Of course you can =
delete your entire root directory with this approach if you so choose. =
Or someone else's.=20

The exploit is extremely dangerous because it looks to the casual user =
just like a URL, and can be sent in an e-mail or set up as a link on a =
Web page. Promising heaps of free pr0n in a busy IRC channel would also =
likewise be effective.=20

To get rid of the vulnerability, you have two choices. You can install =
XP's new SP1, which will give Billg remote root privileges on your box =
by virtue of his new, Trojan EULA =
<http://www.theregister.co.uk/content/4/26517.html> (and silently =
re-enable some services you may have disabled like 'automatic update'); =
or you can just go to C:\Windows\PCHEALTH\HELPCTR\SYSTEM\DFS\ and find =
the file uplddrvinfo.htm. This you can simply delete or rename. But =
beware of installing MS patches later on: these have a funny tendency to =
restore files and settings outside their immediate purview, back to =
Redmond defaults.=20

To check it out I did a clean install of XP and verified the exploit on =
a virgin image. I then installed all of the XP patches and updates =
except SP1, and it still worked. So SP1 is the only 'official' means of =
fixing the hole. It's not otherwise been dealt with. Those who object to =
the SP1 EULA on moral grounds will have to delete or rename =
uplddrvinfo.htm, and do a search for it after subsequent patching to =
verify that it's still gone.=20

Problems with the XP Help Center have been known for some time, at least =
since November 2001, when this exploitable buffer overflow =
<http://online.securityfocus.com/archive/1/241589> was first reported. =
Now the issue has finally been fixed, in the background, with no =
announcement from Redmond. This means that any XP user who doesn't =
install SP1, and who never hears of the flaw, will remain vulnerable.=20

Redmond's handling of the issue is appalling. Apparently, 'Trustworthy =
Computing' means never having to say you screwed up. =AE=20




==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

• » [windows2000] Article
• » [windows2000] Re: Article
• » [windows2000] Re: Article

1. Home
2. windows2000
3. Archive
4. 09-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---