EEYEB-20050316 - HTML Help File Parsing Buffer Overflow

Release Date:
June 14, 2005

Date Reported:
March 16, 2005

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 98 / 98 SE
Windows Me
Windows 2000 Service Pack 3 / Service Pack 4
Windows XP Service Pack 1 / Service Pack 2
Windows XP 64-Bit Itanium SP 1
Windows XP 64-Bit Itanium 2003
Windows XP Professional x64 Edition
Windows 2003 Server / Service Pack 1
Windows 2003 for Itanium / Service Pack 1
Windows 2003 x64 Edition

Overview:
eEye Digital Security has discovered a vulnerability in the way various
versions of Windows handle Windows Help (.CHM) files.  If exploited,
this vulnerability allows arbitrary code to be executed by the remote
attacker.  A malicious .CHM file can be opened by Internet Explorer
without user interaction by using the "ms-its" protocol specification;
for example:

ms-its:\\server\\file.chm:/label.htm

This vulnerability affects any application that uses the Windows Help
component of Internet Explorer internally.


Technical Details:
A CHM file can be specially crafted in order to cause a heap overflow,
leading to one of the following exploitable situations:

(1) 1A40C0DD  call dword ptr [ecx+18h]  : we can control ECX, EAX points
to our buffer

(2) 717AA58C  call dword ptr [ecx+4]    : we can control ECX, EAX points
to our buffer

(3) 77F8C7A9  mov  dword ptr [ecx],eax  : we can control ECX and EAX,
EDI points to our buffer

This heap overflow is caused by an integer overflow in a size field.
Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will
cause a buffer overflow and an excessive memory copy that overwrites all
contiguous heap memory and eventually reaches a page boundary.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection defends against this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx

Credit:
Discovery: Yuji Ukai

Related Links:

Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html

Retina Network Security Scanner - Japanese Edition
http://www.sse.co.jp/eeye/index.html

Greetings:
SSE Retina Team, All attendees of the workshop at Triton Square,
WAIGAYA@Ichigaya

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.