exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Venustech AD-Lab Advisory 2004.6

Venustech AD-Lab Advisory 2004.6
Posted Dec 31, 2004
Authored by Bejing Venustech, Keji

Venustech AD-Lab Advisory AD_LAB-04006 - There is a vulnerability in Microsoft Windows .hlp file parsing program winhlp32.exe. The vulnerability is caused due to a decoding error within the windows .hlp header processing. This can be exploited to cause a heap-based buffer overflow. Vulnerable: Windows NT, Windows 2000 SP0, Windows 2000 SP1, Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4, Windows XP SP0, Windows XP SP1, Windows 2003.

tags | advisory, overflow
systems | windows
SHA-256 | a4d0f4fd5ceaadb1c6e0a8112c7289a3a1d44aa6bc11cd18346109a009cb1efb

Venustech AD-Lab Advisory 2004.6

Change Mirror Download


Venustech AD-Lab
www.venustech.com.cn

[Security Advisory]


Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
Class: Design Error
DATE:12/20/2004
Remote: Yes

Vulnerable:
Windows NT
Windows 2000 SP0
Windows 2000 SP1
Windows 2000 SP2
Windows 2000 SP3
Windows 2000 SP4
Windows XP SP0
Windows XP SP1
Windows 2003
Windows XP SP2
Unvulnerable:
UnKnow
Vendor:
www.microsoft.com


I.DESCRIPTION:
-------------

There is a vulnerability in Microsoft Windows .hlp file parsing program winhlp32.exe.
The vulnerability is caused due to a decoding error within the windows .hlp header
processing.This can be exploited to cause a heap-based buffer overflow.


II.DETAILS:
----------

If the help file is phrase compressed, it contains an internal file named phrases.
The table header of phrases table is located at offset 0x19 in the .hlp file
and its file structure includes:

unsigned short wNumberOfPhrases;
unsigned short wOneHundred; 0x0100;
long decompressedsize;

The phrases table header is right followed by phrases talbe, and each phrase
occupies 2 bytes, which is unsigned short type.

The function of 0100A1EF has 3 parameters. The 3rd parameter is pointed to
the phrases table header. The second one is pointed to a heap memory, which
is used for saving phrases data. But, during calculating data length, there is
not sufficient check of the data length. This can be exploited by using a
malformed .hlp file to cover the heap memory which is pointed by the second
parameter.

The analysis for the function of 0100A1EF is as follows:

0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp
.text:0100A1EF
.text:0100A1EF arg_0 = dword ptr 4
.text:0100A1EF arg_4 = dword ptr 8
.text:0100A1EF arg_8 = dword ptr 0Ch
.text:0100A1EF
.text:0100A1EF mov eax, [esp+arg_8] ;arg_8 pointed to phrase table header
.text:0100A1F3 push ebx
.text:0100A1F4 push esi
.text:0100A1F5 push edi
.text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred
.text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase table
.text:0100A1FD mov eax, [esp+0Ch+arg_0] ;the following calculates the offset of phrase table
.text:0100A201 sub eax, edx
.text:0100A203 mov ebx, [esp+0Ch+arg_4]
.text:0100A207 mov edi, eax
.text:0100A209 shr eax, 1
.text:0100A20B and edi, 1
.text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1
.text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2
.text:0100A217 sub esi, edx
.text:0100A219 add ecx, edx
.text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1
.text:0100A21C push ecx ; void *
.text:0100A21D push ebx ; void * ;ebx -> No.2 pointer, to heap memory
.text:0100A21E call ds:memmove

There are 2 vulns here:
1. A Integer bufferoverflow, size = phrase_offset2 - phrase_offset1if phrase_offset2 less than phrase_offset1 the
size will be negative number and then memmove use this negative number size for memory copye cause of
the heap overflow.

2. The allocated heap size depends on a item of phrase table not the phrasesEndOffset-phrasesHeadOffset size
so if we changed the phrasesEndOffset size and will cause another heap overflow here.

More details and POC at http://www.xfocus.net/flashsky/icoExp/index.html .


III.CREDIT:
----------

Keji(yu_keji@venustech.com.cn) discovery this vuln:)
Vulnerability analysis and advisory by Keji,Flashsky and icbm.
Special thanks to "Fengshou" project members and all Venustech AD-Lab guys:P

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages.

Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close