EEYEB-20050316 - HTML Help File Parsing Buffer Overflow Release Date: June 14, 2005 Date Reported: March 16, 2005 Severity: High (Remote Code Execution) Vendor: Microsoft Systems Affected: Windows 98 / 98 SE Windows Me Windows 2000 Service Pack 3 / Service Pack 4 Windows XP Service Pack 1 / Service Pack 2 Windows XP 64-Bit Itanium SP 1 Windows XP 64-Bit Itanium 2003 Windows XP Professional x64 Edition Windows 2003 Server / Service Pack 1 Windows 2003 for Itanium / Service Pack 1 Windows 2003 x64 Edition Overview: eEye Digital Security has discovered a vulnerability in the way various versions of Windows handle Windows Help (.CHM) files. If exploited, this vulnerability allows arbitrary code to be executed by the remote attacker. A malicious .CHM file can be opened by Internet Explorer without user interaction by using the "ms-its" protocol specification; for example: ms-its:\\server\\file.chm:/label.htm This vulnerability affects any application that uses the Windows Help component of Internet Explorer internally. Technical Details: A CHM file can be specially crafted in order to cause a heap overflow, leading to one of the following exploitable situations: (1) 1A40C0DD call dword ptr [ecx+18h] : we can control ECX, EAX points to our buffer (2) 717AA58C call dword ptr [ecx+4] : we can control ECX, EAX points to our buffer (3) 77F8C7A9 mov dword ptr [ecx],eax : we can control ECX and EAX, EDI points to our buffer This heap overflow is caused by an integer overflow in a size field. Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will cause a buffer overflow and an excessive memory copy that overwrites all contiguous heap memory and eventually reaches a page boundary. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Protection defends against this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx Credit: Discovery: Yuji Ukai Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/products/retina/download/index.html Retina Network Security Scanner - Japanese Edition http://www.sse.co.jp/eeye/index.html Greetings: SSE Retina Team, All attendees of the workshop at Triton Square, WAIGAYA@Ichigaya Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
This archive was generated by hypermail 2.1.3 : Tue Jun 14 2005 - 17:41:12 PDT