From: Chad Myers (cmyersAUSTIN.RR.COM)
Date: Mon May 16 2005 - 15:33:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Everyone:

Sorry I can't provide more details about this issue. I'm hoping one of the
technical folks that know how to identify and exploit a possible
vulnerability like this can help track down the specifics. It appears there
is some bad string handling in (what appears to be) hha.dll that is part of
the HTML Help Compiler (HHC.exe) and/or HTML Help Workshop (version
4.74.8702.0 on my system). I'm not sure, but this might be a buffer overrun
and could be exploitable.

We use a tool to generate all the files necessary for the HHC to spit out a
resultant CHM file. The tool had a bug in it that spit out a file name that
was greater than MAX_PATH. The tool could not save the file. It failed
silently, but it added the path to the T.O.C. file that HHC uses.

When HHC went to compile, it tried to read the too-big file name and it
crashed with an access violation (0xc0000005 - Access Violation).

Here are some details:

VERSIONS
======================
OS: WinXP SP2
HHW: 4.74.8702.0
HHA: 4.74.8702.0
HHCTRL: 5.02.3790.1280
ITIRCL: 5.02.3790.1159
ITSS: 5.02.3790.1221

I was able to get Dr Watson to dump some interesting information, perhaps
this will help:

*----> State Dump for Thread Id 0x10d4 <----*

eax=00000000 ebx=00000000 ecx=ffffffff edx=45381228 esi=682e296e
edi=682e296e eip=4530f3fb esp=0012ec90 ebp=0012ecb0 iopl=0
nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 fl=00000246

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\HHA.dll -
function: HHA!Ordinal23
        4530f3e4 53 push ebx
        4530f3e5 56 push esi
        4530f3e6 8b74240c mov esi,[esp+0xc]
        4530f3ea 57 push edi
        4530f3eb 85f6 test esi,esi
        4530f3ed 7505 jnz HHA!Ordinal23+0x10 (4530f3f4)
        4530f3ef bee4363645 mov esi,0x453636e4
        4530f3f4 8bfe mov edi,esi
        4530f3f6 83c9ff or ecx,0xffffffff
        4530f3f9 33c0 xor eax,eax
FAULT ->4530f3fb f2ae repne scasb

es:682e296e=??
        4530f3fd f7d1 not ecx
        4530f3ff 51 push ecx
        4530f400 e86b290300 call HHA!Ordinal358+0x4d3 (45341d70)
        4530f405 59 pop ecx
        4530f406 8bd0 mov edx,eax
        4530f408 8bfe mov edi,esi
        4530f40a 83c9ff or ecx,0xffffffff
        4530f40d 33c0 xor eax,eax
        4530f40f f2ae repne scasb
        4530f411 f7d1 not ecx

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be
wrong.
ChildEBP RetAddr Args to Child
0012ecb0 45315376 682e296e 00000000 0012eef8 HHA!Ordinal23+0x17
0012ed1c 4531beaa 682e296e 0012ed3c 00000000 HHA!Ordinal315+0x1d
0012ef4c 4531e702 0012f3b4 00ca2c20 0012ef7c HHA!HHA_CompileHHP+0x36fe
006c6d74 00000013 00000000 7fffffff 00000000 HHA!HHA_CompileHHP+0x5f56

*----> Raw Stack Dump <----*
000000000012ec90 00 00 00 00 ec ec 12 00 - 00 00 00 00 aa 4c 31 45
000000000012eca0 6e 29 2e 68 00 00 00 00 - f8 ee 12 00 00 00 00 00
000000000012ecb0 1c ed 12 00 76 53 31 45 - 6e 29 2e 68 00 00 00 00
000000000012ecc0 f8 ee 12 00 14 f6 12 00 - a0 2d ca 00 00 00 00 00
000000000012ecd0 a0 2d ca 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000000012ece0 00 00 00 00 00 00 00 00 - 00 00 d5 77 e0 2c ca 00
000000000012ecf0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000000012ed00 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 31 45
000000000012ed10 80 ef 12 00 9c 21 36 45 - ff ff ff ff 4c ef 12 00
000000000012ed20 aa be 31 45 6e 29 2e 68 - 3c ed 12 00 00 00 00 00
000000000012ed30 20 2c ca 00 27 2c ca 00 - 18 f1 12 00 46 43 68 6f
000000000012ed40 69 63 65 2e 54 6f 6f 6c - 6b 69 74 73 2e 43 6c 61
000000000012ed50 72 69 66 79 7e 46 43 68 - 6f 69 63 65 2e 54 6f 6f
000000000012ed60 6c 6b 69 74 73 2e 43 6c - 61 72 69 66 79 2e 49 6e
000000000012ed70 74 65 72 66 61 63 65 73 - 2e 49 6e 74 65 72 66 61
000000000012ed80 63 65 73 54 6f 6f 6c 6b - 69 74 7e 43 72 65 61 74
000000000012ed90 65 51 75 65 75 65 28 53 - 74 72 69 6e 67 2c 42 6f
000000000012eda0 6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f
000000000012edb0 6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f
000000000012edc0 6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f

I hope this helps someone.

Sincerely,
Chad Myers

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]