Bugtraq mailing list archives
Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT
From: jsherry () IDT NET (Jay Sherry)
Date: Tue, 7 Dec 1999 13:01:41 -0500
I tried this exploit on my machine. It does not work when you run the help system topic. And microsoft must know about this because the Whats new in Word 97 is not in the help file it is in the Wdman8.cnt file On Tue, 7 Dec 1999, Pauli Ojanpera wrote:
Windows help system uses a HELPFILE.CNT file as table of contents metafile for creating HELPFILE.GID which is needed to view table of contents for HELPFILE.HLP. If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can change a topic action to run an executable instead of viewing help for that topic. When victim user uses help system and chooses the infected topic, help system runs an executable from path. Example: - Delete C:\Program Files\Microsoft Office\Office\WDMAIN8.GID (kill winhlp32.exe process if necessary) - Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT which is a text file. You should change the line which has something like: 3 Word 97 new features=woidxWhatsNewInMicrosoftWord97 () wdnew8 hlp>REF to read: 3 Word 97 new features=!EF("CMD.EXE","",1) - Run WinWord and select Help|Contents from menubar. - Find topic "Word 97 new features" and select it. - You should see CMD.EXE to run. BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size is ~256 bytes. I think it triggers when the created .GID file is opened. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT Pauli Ojanpera (Dec 06)
- Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT Mnemonix (Nov 07)
- Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT Jay Sherry (Dec 07)
- Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT David LeBlanc (Dec 07)