exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HtmlHelpchm.txt

HtmlHelpchm.txt
Posted Jul 14, 2004
Authored by Brett Moore SA | Site security-assessment.com

The HtmlHelp application (hh.exe) in Microsoft windows read a value from a .CHM file to set a length parameter. By setting this to a large value, it is possible to overwrite sections of the heap with attacker supplied values. Affected software includes: Microsoft Windows 98, 98SE, ME, Microsoft Windows NT 4.0, Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP, Microsoft Windows XP Service Pack 1, Microsoft Windows Server 2003.

tags | advisory
systems | windows
advisories | CVE-2004-0201
SHA-256 | ac7c55f929b9e971cc8376ae4bda17d5f164652d10bf394f6db55a9ddb4eacb6

HtmlHelpchm.txt

Change Mirror Download

========================================================================
= HtmlHelp - .CHM File Heap Overflow
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS04-023.mspx
=
= Affected Software:
= Microsoft Windows 98, 98SE, ME
= Microsoft Windows NT 4.0
= Microsoft Windows 2000 Service Pack 4
= Microsoft Windows XP, Microsoft Windows XP Service Pack 1
= Microsoft Windows Server 2003
=
= Public disclosure on July 14, 2004
========================================================================

When thinking about buffer overflow vulnerabilities, a file can sometimes
be as harmful as a packet. Even though past security issues have taught
us that it is unwise to use an unvalidated value from a file/packet as
a text length parameter, that is what happened here.

The HtmlHelp application (hh.exe) will read a value from a .CHM file
and use this as the 'length' parameter in a REPZ MOVSD operation.
By setting this to a large value, it is possible to overwrite sections
of the heap with attacker supplied values.

This results in a typical win32 heap overflow landing either on the
common mov [ecx],eax / mov [eax+4],ecx pair, or on a call [eax+4]. In
either case the registers are under the control of the attacker
leading to code execution.

== Description ==

When the corrupt file is opened an exception error will first occur at

0x78010044 REPZ MOVSD

The error has occurred because the destination address has reached the end
of its allocated space. After clicking OK on the popup error box, execution
will continue until it eventually reaches.

0x77fcc663 mov [ecx],eax
0x77fcc665 mov [eax+4],ecx

At this time the EAX and ECX values have been filled with the data used to
overwrite the heap, allowing an attacker to write an arbitrary value to
a known place.

The corrupt file must be constructed in such a way to jump through some
hoops first. It must pass some checks reliant on a value in the file that
sets ESI.

* This value must be valid memory
* [ESI+1c] must be non null
* [ESI+24] must be null.

This value is simple to achieve resulting in a reliable heap exploit using
any of the multiple methods now known to exploit heap overflows.

== Exploitation ==

Remote exploitation through Internet Explorer can be obtained through the
use of the window.showhelp() function. Either using a public UNC share or
through a 'coupled' browser exploit that saves the file to a known location
before opening it. There may of course also be other ways of having a
corrupt .CHM file loaded without requiring a user to download and run it,
although a compiled help file may be easily accepted by a user anyway.

Automatic exploitation of browser based bugs, does not rely on an attacker
sending a link, requiring the target user to click on it. Links, references
and other objects can easily be opened through script code. And I am told
that this can also be achieved without script code.

== Solutions ==

- Install the vendor supplied patch.

== Credit ==

Discovered and advised to Microsoft January 12, 2004 by Brett Moore of
Security-Assessment.com

%-) Well Ruxcon rocked, so gotta say thanks to all that were there. They
%-) known who they are. Now for vegas....

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.


######################################################################
CONFIDENTIALITY NOTICE:

This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close