OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Thor Larholm (thor_at_pivx.com)
Date: Wed Oct 09 2002 - 13:35:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thor Larholm security advisory TL#004

    Topic: Windows Help buffer overflow

    HTML version:
    http://www.pivx.com/larholm/adv/TL004/

    Discovery date: 31 July 2002

    Release date: 4 October 2002

    Affected applications

    Microsoft Windows 98
    Microsoft Windows 98 Second Edition
    Microsoft Windows Millennium Edition
    Microsoft Windows NT 4.0
    Microsoft Windows NT 4.0, Terminal Server Edition
    Microsoft Windows 2000
    Microsoft Windows XP

    Severity: High

    Impact:
    Arbitrary code execution, taking any action the user has privileges to
    perform on the system.

    Introduction
    The Windows Help Facility exposes itself both as an ActiveX component and as
    a part of Internet Explorer through the showHelp method. The showHelp
    method, taking a URI as argument, has a fixed buffer that is easily
    overflowed from a webpage or within an email.

    Discussion:
    The size of the fixed buffer varies for each Windows version, most likely
    due to a dependency on a systemspecific variant size. This factor is not
    mitigating in itself. The variance of this size is fixed and the overflow is
    traditional. It is our belief that this overflow must be wellknown already
    in the wild, as simple reallife usages of the showHelp method (using a
    moderately long URI) would easily expose the existance of this
    vulnerability.

    Due to this belief, we feel that it will benefit and empower endusers more
    if they are able to easily verify for themselves whether they are using a
    vulnerable version of Windows Help. Others have recently made the public
    aware of this vulnerability as well, though without disclosing any actual
    details.

    Exploit:

    <script>showHelp( A*796 );</script>

    Solution:
    Apply the MS02-055 patch.

    Demonstration:
    I have put together some proof-of-concept examples. These do not run any
    meaningful code but merely overflows the buffer with a lot of A characters.

    Simple, oneclick testcase
    http://www.pivx.com/larholm/adv/TL004/simple.html
    Try your own numbers
    http://www.pivx.com/larholm/adv/TL004/number.html

    Vendor status:
    Microsoft was notified 31 July 2002, they released MS02-055 on October 2,
    2002.

    Regards
    Thor Larholm, Security Researcher
    PivX Solutions, LLC

    Are You Secure?
    http://www.PivX.com