Re: Local user can fool another to run executable. .CNT/.GID/.HLP

From: Mnemonix (mnemonixat_private)
Date: Sun Nov 07 1999 - 19:10:24 PST

Next message: Cody T. - hhp: "Whois.cgi - ADVISORY."

Previous message: bjr: "[davidat_private: New Patches for Slackware 7.0 Available]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Pauli Ojanpera" <pauli_ojanperaat_private>
To: <BUGTRAQat_private>
Sent: Tuesday, December 07, 1999 8:55 AM
Subject: Local user can fool another to run executable. .CNT/.GID/.HLP
M$WINNT

> Windows help system uses a HELPFILE.CNT file as table of contents
> metafile for creating HELPFILE.GID which is needed to view table of
contents
> for HELPFILE.HLP.
>

 <SNIP>
> BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer
size
> is ~256 bytes. I think it triggers when the created
> .GID file is opened.
>

There are many issues like this with the Windows Helps system. I spoke to
Dave LeBlanc (@microsoft) about this same issue a few months back and as he
rightly states .hlp (or.cnt or gid) = = .exe .

You can create help files (.hlp) that will exec any program with options you
want as soon as you click on a .hlp file. There are a number of macros you
can use to do this such as ExecFile() macro - there are about five or seven.
As far as the buffer overrun is concerned this was discovered and reported
to Microsoft and they have addressed the problem. Microsoft's advisory about
this can be found at
http://www.microsoft.com/security/bulletins/ms99-015.asp and my original
analysis of the overrun can be found at
http://www.cerberus-infosec.co.uk/wpwhlpbuf.html .

As far as the newer HTML help system is concerned (HH.EXE) pretty  much most
of the "execfile" macro functionality has been removed. It is still possible
however to get HH.EXE to exec a program without the user's intervention
other than clicking on a chm file. You can use a macro within the HH ActiveX
control
and then use the meta refresh tag in the HTML page to do this so when the
chm file is opened the page is refreshed and the program is exec'd.
Fortunately the macro used to do this is only "usable" from local chm files
and not remote webpages that use the ActiveX control supplied onWin98 boxes.

Cheers,
David Litchfield
http://www.cerberus-infosec.co.uk

Next message: Cody T. - hhp: "Whois.cgi - ADVISORY."
Previous message: bjr: "[davidat_private: New Patches for Slackware 7.0 Available]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:18:54 PDT