----- Original Message ----- From: "Pauli Ojanpera" <pauli_ojanperaat_private> To: <BUGTRAQat_private> Sent: Tuesday, December 07, 1999 8:55 AM Subject: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT > Windows help system uses a HELPFILE.CNT file as table of contents > metafile for creating HELPFILE.GID which is needed to view table of contents > for HELPFILE.HLP. > <SNIP> > BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size > is ~256 bytes. I think it triggers when the created > .GID file is opened. > There are many issues like this with the Windows Helps system. I spoke to Dave LeBlanc (@microsoft) about this same issue a few months back and as he rightly states .hlp (or.cnt or gid) = = .exe . You can create help files (.hlp) that will exec any program with options you want as soon as you click on a .hlp file. There are a number of macros you can use to do this such as ExecFile() macro - there are about five or seven. As far as the buffer overrun is concerned this was discovered and reported to Microsoft and they have addressed the problem. Microsoft's advisory about this can be found at http://www.microsoft.com/security/bulletins/ms99-015.asp and my original analysis of the overrun can be found at http://www.cerberus-infosec.co.uk/wpwhlpbuf.html . As far as the newer HTML help system is concerned (HH.EXE) pretty much most of the "execfile" macro functionality has been removed. It is still possible however to get HH.EXE to exec a program without the user's intervention other than clicking on a chm file. You can use a macro within the HH ActiveX control and then use the meta refresh tag in the HTML page to do this so when the chm file is opened the page is refreshed and the program is exec'd. Fortunately the macro used to do this is only "usable" from local chm files and not remote webpages that use the ActiveX control supplied onWin98 boxes. Cheers, David Litchfield http://www.cerberus-infosec.co.uk
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:18:54 PDT