[NT] Windows Help Buffer Overflow (Additional details)
From: support@securiteam.comDate: 10/04/02
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in Windows Help Facility Could Enable Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 4 Oct 2002 22:45:28 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Windows Help Buffer Overflow (Additional details)
------------------------------------------------------------------------
SUMMARY
The Windows Help Facility exposes itself both as an ActiveX component and
as a part of Internet Explorer through the showHelp method. The showHelp
method, taking a URI as argument, has a fixed buffer that is easily
overflowed from a webpage or within an email.
DETAILS
Vulnerable systems:
* Microsoft Windows 98
* Microsoft Windows 98 Second Edition
* Microsoft Windows Millennium Edition
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0, Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
Impact:
Arbitrary code execution, taking any action the user has privileges to
perform on the system.
Discussion:
The size of the fixed buffer varies for each Windows version, most likely
due to a dependency on a system specific variant size. This factor is not
mitigating in itself. The variance of this size is fixed and the overflow
is traditional. It is our belief that this overflow must be well known
already in the wild, as simple real life usages of the showHelp method
(using a moderately long URI) would easily expose the existence of this
vulnerability.
Due to this belief, we feel that it will benefit and empower end users
more if they are able to easily verify for themselves whether they are
using a vulnerable version of Windows Help. Others have recently made the
public aware of this vulnerability as well, though without disclosing any
actual details.
Exploit:
<scr!pt>showHelp( A*796 );</script>
Solution:
Apply the MS02-055 patch. For more information see our previous article:
<http://www.securiteam.com/windowsntfocus/6X006155PU.html> Unchecked
Buffer in Windows Help Facility Could Enable Code Execution.
Demonstration:
Thor has put together some proof-of-concept examples. These do not run any
meaningful code but merely overflows the buffer with a lot of A
characters.
Simple, one click test case:
<http://www.pivx.com/larholm/adv/TL004/simple.html>
http://www.pivx.com/larholm/adv/TL004/simple.html
Try your own numbers
<http://www.pivx.com/larholm/adv/TL004/number.html>
http://www.pivx.com/larholm/adv/TL004/number.html
Vendor status:
Microsoft was notified 31 July 2002, they released MS02-055 on October 2,
2002.
ADDITIONAL INFORMATION
The information has been provided by <mailto:thor@pivx.com> Thor Larholm.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in Windows Help Facility Could Enable Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
