MMC resource cross-site scripting vulnerability
Yorick Koster, August 2005
Abstract
Several resources from the mmcndmgr.dll shared library (on Windows 2000) contain a cross-site scripting vulnerability. When exploited from the local intranet zone, an attacker can execute arbitrary scripting code in the security context of the local computer zone.
Affected versions
This issue has been tested on Windows 2000 SP4 and Windows XP SP2 with the latest security updates applied. Only Windows 2000 SP4 is affected by this issue.
Fix
This issue was addressed by MS06-044.
res protocol
The res protocol can be used to load files from shared libraries. For example, the link below will load the file SERVBUSY.HTM from the C:\WINNT\System32\shdoclc.dll library.
res://C:\WINNT\System32\shdoclc.dll/SERVBUSY.HTM
When using res URLs, it is not required to enter a full path name for the shared library. It is also possible to only enter the name of the shared library containing the resource file. Windows will try to find the library using a pre-defined search strategy. For example:
res://shdoclc.dll/SERVBUSY.HTM
The following note can be found in the MSDN documentation about the res protocol:
"Note Internet Explorer 6 Service Pack 1 (SP1) no longer allows browsing a local machine from the Internet zone. For instance, if an Internet site contains a link to a local file, Internet Explorer 6 SP1 displays a blank page when a user clicks on the link. Previous versions of Internet Explorer followed the link to the local file."
Although this is true for the two links above, it is possible to load resource from libraries. This can be done by omitting the .dll part of the shared library. However, doing so will load the resource file in the Internet zone. For example:
res://shdoclc/SERVBUSY.HTM
Note that Windows XP SP2 does not have this restriction. Internet Explorer 6 on Windows XP will load res pages from the Internet zone. However, these res pages are always loaded in the Internet zone (as far as I am aware of).
MMC resource cross-site scripting
Windows 2000 comes with a shared library called mmcndmgr.dll, which is located in the system directory. Amongst other resources, this library contains the following files (these files are not available in mmcndmgr.dll shipped with Windows XP SP2):
* JSPREV.JS
* LOADSYM.HTM
* LOADSYM12.HTM
The files JSPREV.JS and LOADSYM12.HTM contain the same cross-site scripting vulnerability. LOADSYM.HTM uses functions from JSPREV.JS and is therefore also affected. The vulnerability exists in the following piece of code:
function AddEOTStyle()
{
// Strip out the initial hash "#" char
var szHash = location.hash.substring(1);
// Unescape the encoded hash
szHash = unescape(szHash);
// Get index of first delimiter
var iDelimitLoc1 = szHash.indexOf("|");
// Get index of last delimiter
var iDelimitLoc2 = szHash.lastIndexOf("|");
// Get the Unicode symbol string and store it in a global
gszSymbol = szHash.substring(0, iDelimitLoc1);
// Get the Font Family Name and store it in a global
gszFontFamily = szHash.substring(iDelimitLoc1 + 1, iDelimitLoc2);
// Get the URL to the EOT
szURLtoEOT = szHash.substring(iDelimitLoc2 + 1);
// Create style tag for EOT @font-face definition
var szStyleDef = "<style>\n";
szStyleDef += "@font-face\n";
szStyleDef += "{\n";
szStyleDef += "font-family:" + gszFontFamily + ";\n";
szStyleDef += "src: url(" + szURLtoEOT + ");\n";
szStyleDef += "}\n";
szStyleDef += "</style>\n\n";
return szStyleDef;
}
As can be seen, the gszFontFamily and szURLtoEOT variables contain data that comes from location.hash. Because of this, a remote attacker can set these variables and execute arbitrary scripting code in the security context of the res page.
res://mmcndmgr/LOADSYM.HTM#");</style><script>alert('Hello Word!'); </script>
res://mmcndmgr.dll/LOADSYM.HTM#");</style><script>alert('Hello Word!'); </script>
Impact
Exploiting this vulnerability from the Internet zone does not give an attacker additional privileges. The res page will also be loaded in the Internet zone and consequently so does the injected scripting code. Performing the same trick from the local intranet zone, does give the attacker additional privileges. On Windows 2000, the res page will be loaded in the local computer zone. This allows an attacker to execute arbitrary scripting code in the security context of the local computer zone.
Because of this, an attack will most likely be successful on large corporate networks. In combination with another vulnerability, it may also be possible to get into the local computer zone from the Internet zone.