Thor Larholm security advisory TL#004 Topic: Windows Help buffer overflow Discovery date: 31 July 2002 Affected applications Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Millennium Edition Microsoft Windows NT 4.0 Microsoft Windows NT 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Severity: High Impact: Arbitrary code execution, taking any action the user has privileges to perform on the system. Introduction The Windows Help Facility exposes itself both as an ActiveX component and as a part of Internet Explorer through the showHelp method. The showHelp method, taking a URI as argument, has a fixed buffer that is easily overflowed from a webpage or within an email. Discussion: The size of the fixed buffer varies for each Windows version, most likely due to a dependency on a systemspecific variant size. This factor is not mitigating in itself. The variance of this size is fixed and the overflow is traditional. It is our belief that this overflow must be wellknown already in the wild, as simple reallife usages of the showHelp method (using a moderately long URI) would easily expose the existance of this vulnerability. Due to this belief, we feel that it will benefit and empower endusers more if they are able to easily verify for themselves whether they are using a vulnerable version of Windows Help. Others have recently made the public aware of this vulnerability as well, though without disclosing any actual details. Exploit: Solution: Apply the MS02-055 patch. Demonstration: I have put together some proof-of-concept examples. These do not run any meaningful code but merely overflows the buffer with a lot of A characters. Simple, oneclick testcase http://www.pivx.com/larholm/adv/TL004/simple.html Try your own numbers http://www.pivx.com/larholm/adv/TL004/number.html Vendor status: Microsoft was notified 31 July 2002, they released MS02-055 on October 2, 2002. Regards Thor Larholm, Security Researcher PivX Solutions, LLC Are You Secure? http://www.PivX.com