eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
From: Steve Manzuik (smanzuik_at_EEYE.COM)
Date: 06/15/05
- Previous message: NGSSoftware Insight Security Research: "High Risk Vulnerability in HTML Help (ITSS Parser)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Jun 2005 08:58:47 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
Release Date:
June 14, 2005
Date Reported:
March 16, 2005
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 98 / 98 SE
Windows Me
Windows 2000 Service Pack 3 / Service Pack 4
Windows XP Service Pack 1 / Service Pack 2
Windows XP 64-Bit Itanium SP 1
Windows XP 64-Bit Itanium 2003
Windows XP Professional x64 Edition
Windows 2003 Server / Service Pack 1
Windows 2003 for Itanium / Service Pack 1
Windows 2003 x64 Edition
Overview:
eEye Digital Security has discovered a vulnerability in the way various versions of Windows handle Windows Help (.CHM) files. If exploited, this vulnerability allows arbitrary code to be executed by the remote attacker. A malicious .CHM file can be opened by Internet Explorer without user interaction by using the "ms-its" protocol specification; for example:
ms-its:\\server\\file.chm:/label.htm
This vulnerability affects any application that uses the Windows Help component of Internet Explorer internally.
Technical Details:
A CHM file can be specially crafted in order to cause a heap overflow, leading to one of the following exploitable situations:
(1) 1A40C0DD call dword ptr [ecx+18h] : we can control ECX, EAX points to our buffer
(2) 717AA58C call dword ptr [ecx+4] : we can control ECX, EAX points to our buffer
(3) 77F8C7A9 mov dword ptr [ecx],eax : we can control ECX and EAX, EDI points to our buffer
This heap overflow is caused by an integer overflow in a size field. Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will cause a buffer overflow and an excessive memory copy that overwrites all contiguous heap memory and eventually reaches a page boundary.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink Endpoint Protection defends against this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx
Credit:
Discovery: Yuji Ukai
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html
Retina Network Security Scanner - Japanese Edition
http://www.sse.co.jp/eeye/index.html
Greetings:
SSE Retina Team, All attendees of the workshop at Triton Square, WAIGAYA@Ichigaya
Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
- Previous message: NGSSoftware Insight Security Research: "High Risk Vulnerability in HTML Help (ITSS Parser)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
