Re: Winhelp32 Remote Buffer Overrun
I just installed servicepack 3 and the following code still crashed my my IE6 with a memory could not be refferenced error. I have been told this means it is most likely exploitable. I am not into buffer overflows myself though, maybe someone can confirm this. Anyways I notified microsoft of this several months ago. The day after I notified them someone pointed me to the ngssoftware advisory *sob*, and I notified microsoft that this was probably the same issue, last I heard from them they where looking in to if this was indeed the case. It's been several months and as far as I know they are still looking. -- jelmer - Original Message - From: "Next Generation Insight Security Research Team" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, August 02, 2002 3:59 AM Subject: Winhelp32 Remote Buffer Overrun > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > NGSSoftware Insight Security Research Advisory > > Name:Winhlp32.exe Remote BufferOverrun > Systems Affected: Win2K Platform > Severity: Critical > Category: Remote Buffer Overrun > Vendor URL: http://www.mircosoft.com > Author: Mark Litchfield ([EMAIL PROTECTED]) > Date: 1st August 2002 > Advisory number: #NISR01082002 > > > Description > *** > > Many of the features available in HTML Help are implemented through > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX > control is used to provide navigation features (such as a table of > contents), to display secondary windows and pop-up definitions, and > to provide other features. The HTML Help ActiveX control can be used > from topics in a compiled Help system as well as from HTML pages > displayed in a Web browser. The functionality provided by the HTML > Help ActiveX control will run in the HTML Help Viewer or in any > browser that supports ActiveX technology, such as Internet Explorer > (version 3.01 or later). Some features, as with the WinHlp Command, > provided by the HTML Help ActiveX control are meant to be available > only when it is used from a compiled HTML Help file (.chm) that is > displayed by using the HTML Help Viewer. > > Details > *** > > Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item > parameter within WinHlp Command, the item parameter is used to > specify the file path of the WinHelp (.hlp) file in which the WinHelp > topic is stored, and the window name of the target window. Using > this overrun, an attacker can successfully exectute arbitary code on > a remote system by either encouraging the victim to visit a > particular web page, whereby code would execute automatically, or by > including the exploit within the source of an email. In regards to > email, execution would automatically occur when the mail appears in > the preview pane and ActiveX objects are allowed (This is allowed by > default, the Internet Security Settings would have to be set as HIGH > to prevent execution of this vulnerability). Any exploit would > execute in the context of the logged on user. > > Visual POC Exploit > ** > > This POC will simply display Calculator. Please note that this > written on a Win2k PC with SP2 installed. I have not tested it on > anything else. > > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp > type=application/x-oleobject width=0> VALUE="26"> VALUE="WinHelp"> VALUE="3ÀPhcalc4$ƒÀPV¸¯§éwÿÐ3ÀP¾”éwÿÖ > AA > AP > PPPTTT©õwABCDEFGHƒÆÿægMyWindow"> NAME="Item2" VALUE="NGS Software LTD"> > winhelp.HHClick() > > > Fix Information > *** > > NGSSoftware alerted Microsoft to these problems on the 6th March > 2002. NGSSoftware highly recommend installing Microsoft Windows SP3, > as the fix has been built into this service pack found at > http://www.microsoft.com > An alternative to these patches would be to ensure the security > settings found in the Internet Options is set to high. Despite the > Medium setting, stating that unsigned ActiveX controls will not be > downloaded, Kylie will still execute Calc.exe. Another alternative > would be to remove winhlp32.exe if it is not required within your > environment. > A check for these issues has been added to Typhon II, of which more > information is available from the > NGSSoftware website, http://www.ngssoftware.com. > > Further Information > *** > > For further information about the scope and effects of buffer > overflows, please see > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > http://www.ngssoftware.com/papers/ntbufferoverflow.html > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > http://www.ngssoftware.com/papers/unicodebo.pdf > > > > > > > > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 7.0.3 for non-commercial use
RE: Winhelp32 Remote Buffer Overrun
Correction, closing out of the app brings up an error where the memory read is controlled at 4141414d (EIP is elsewhere), so it appears to be a different type of crash by behavior entirely... but exploitable. Would need to stick a debugger on it and mess around to narrow it down. > -Original Message- > From: Drew [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 06, 2002 7:31 PM > To: 'Mark Litchfield'; 'Jelmer'; '[EMAIL PROTECTED]' > Subject: RE: Winhelp32 Remote Buffer Overrun > > > Running this on my local file fuzzer, Litchfield's begins to > hit exceptions at > 200 increments. (At a blank value it gives a memory error). > > At 216 increments (and at least for awhile, above) it > overwrites EIP with > 41414141. (Windows 2000 Service Pack 2). > > Testing Jelmer's as it was written below I ran to 10,000 > increments and did not find an issue. Testing to 10,000 with > .TIF as the extension did not find an issue. Testing these > same case tests with using the method > HHClick() as in Litchfield's does not give an issue. > > It may have been with another method, or perhaps some > interaction with the webpage. It may be the characters used > to bruteforce it. Perhaps, they were unicode (which I could > test, as well as anything else). > > > > > -Original Message- > > From: Mark Litchfield [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, August 06, 2002 12:24 PM > > To: Jelmer; [EMAIL PROTECTED] > > Subject: Re: Winhelp32 Remote Buffer Overrun > > > > > > If I am not mistaken, I believe that Microsoft are aware of > > this issue and have an IE patch comming out very shortly. My > > brother reported this to them, please see > > http://www.nextgenss.com/vna/ms-whelp.txt > > > > Regards > > > > Cheers, > > > > > > Mark Litchfield > > > > - Original Message ----- > > From: "Jelmer" <[EMAIL PROTECTED]> > > To: "Next Generation Insight Security Research Team" > > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > > <[EMAIL PROTECTED]> > > Sent: Thursday, August 01, 2002 5:19 PM > > Subject: Re: Winhelp32 Remote Buffer Overrun > > > > > > > I just installed servicepack 3 and the following code still > > crashed my > > > my IE6 with a memory could not be refferenced error. > > > > > > > > CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> > > > > > > > > > > > > > > > > > > > > > > > > > I have been told this means it is most likely > exploitable. I am not > > > into buffer overflows myself though, maybe someone can > > confirm this. > > > Anyways I notified microsoft of this several months ago. > > The day after > > > I notified > > them > > > someone pointed me to the ngssoftware advisory *sob*, and I > > notified > > > microsoft that this was probably the same issue, last I heard from > > > them > > they > > > where looking in to if this was indeed the case. It's been several > > > months and as far as I know they are still looking. > > > > > > -- > > > jelmer > > > > > > - Original Message - > > > From: "Next Generation Insight Security Research Team" > > > <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Friday, August 02, 2002 3:59 AM > > > Subject: Winhelp32 Remote Buffer Overrun > > > > > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > > Hash: SHA1 > > > > > > > > NGSSoftware Insight Security Research Advisory > > > > > > > > Name:Winhlp32.exe Remote BufferOverrun > > > > Systems Affected: Win2K Platform > > > > Severity: Critical > > > > Category: Remote Buffer Overrun > > > > Vendor URL: http://www.mircosoft.com > > > > Author: Mark Litchfield ([EMAIL PROTECTED]) > > > > Date: 1st August 2002 > > > > Advisory number: #NISR01082002 > > > > > > > > > > > > Description > > > > *** > > > > > > > > Many of the features available in HTML Help are > > implemented through > > > > the HTML Help ActiveX control (HHCtrl.ocx). The HTML > Help ActiveX > > > > control is used to p
RE: Winhelp32 Remote Buffer Overrun
Running this on my local file fuzzer, Litchfield's begins to hit exceptions at 200 increments. (At a blank value it gives a memory error). At 216 increments (and at least for awhile, above) it overwrites EIP with 41414141. (Windows 2000 Service Pack 2). Testing Jelmer's as it was written below I ran to 10,000 increments and did not find an issue. Testing to 10,000 with .TIF as the extension did not find an issue. Testing these same case tests with using the method HHClick() as in Litchfield's does not give an issue. It may have been with another method, or perhaps some interaction with the webpage. It may be the characters used to bruteforce it. Perhaps, they were unicode (which I could test, as well as anything else). > -Original Message- > From: Mark Litchfield [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 06, 2002 12:24 PM > To: Jelmer; [EMAIL PROTECTED] > Subject: Re: Winhelp32 Remote Buffer Overrun > > > If I am not mistaken, I believe that Microsoft are aware of > this issue and have an IE patch comming out very shortly. My > brother reported this to them, please see > http://www.nextgenss.com/vna/ms-whelp.txt > > Regards > > Cheers, > > > Mark Litchfield > > - Original Message - > From: "Jelmer" <[EMAIL PROTECTED]> > To: "Next Generation Insight Security Research Team" > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Thursday, August 01, 2002 5:19 PM > Subject: Re: Winhelp32 Remote Buffer Overrun > > > > I just installed servicepack 3 and the following code still > crashed my > > my IE6 with a memory could not be refferenced error. > > > > > CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> > > > > > > > > > > > > > > > > I have been told this means it is most likely exploitable. I am not > > into buffer overflows myself though, maybe someone can > confirm this. > > Anyways I notified microsoft of this several months ago. > The day after > > I notified > them > > someone pointed me to the ngssoftware advisory *sob*, and I > notified > > microsoft that this was probably the same issue, last I heard from > > them > they > > where looking in to if this was indeed the case. It's been several > > months and as far as I know they are still looking. > > > > -- > > jelmer > > > > - Original Message - > > From: "Next Generation Insight Security Research Team" > > <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Friday, August 02, 2002 3:59 AM > > Subject: Winhelp32 Remote Buffer Overrun > > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > NGSSoftware Insight Security Research Advisory > > > > > > Name:Winhlp32.exe Remote BufferOverrun > > > Systems Affected: Win2K Platform > > > Severity: Critical > > > Category: Remote Buffer Overrun > > > Vendor URL: http://www.mircosoft.com > > > Author: Mark Litchfield ([EMAIL PROTECTED]) > > > Date: 1st August 2002 > > > Advisory number: #NISR01082002 > > > > > > > > > Description > > > *** > > > > > > Many of the features available in HTML Help are > implemented through > > > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX > > > control is used to provide navigation features (such as a > table of > > > contents), to display secondary windows and pop-up > definitions, and > > > to provide other features. The HTML Help ActiveX control > can be used > > > from topics in a compiled Help system as well as from HTML pages > > > displayed in a Web browser. The functionality provided by > the HTML > > > Help ActiveX control will run in the HTML Help Viewer or in any > > > browser that supports ActiveX technology, such as > Internet Explorer > > > (version 3.01 or later). Some features, as with the > WinHlp Command, > > > provided by the HTML Help ActiveX control are meant to be > available > > > only when it is used from a compiled HTML Help file > (.chm) that is > > > displayed by using the HTML Help Viewer. > > > > > > Details > > > *** > > > > > > Winhlp32.exe is vulnerable to a bufferoverrun attack > using the Item > > > parameter within WinHlp Comm
