Eagle Werros

2006-02-14T00:00:00
ID SECURITYVULNS:DOC:11427
Type securityvulns
Reporter Securityvulns
Modified 2006-02-14T00:00:00

Description

\* / Unl0ck Research Team Security Advisory \
/ product: HTML Help Workshop (1994-1999) \ bug : stack overflow / vendor : Microsoft Corp. (http://microsoft.com) \ date : 13.02.06 / author : darkeagle \

/ Info: \ stack based buffer overflows were founded in HTML HW. / HTML HW crashes when user opens specially crafted .hhp file. \

/ Details:
\ another buffer overflows were founded in parsing tag's arguments.

    Index File=aaaaaaaaaaaaaaaa..
    Sample list file=aaaaaaaa....

  maybe others. I'm too lazy to continue my HTML Workshop researching.

Look at below code:

.text:0041C60F loc_41C60F: ; CODE XREF: sub_41C4FA+111j .text:0041C60F test eax, eax .text:0041C611 jz short loc_41C626 .text:0041C613 push dword ptr [ebx+68h] .text:0041C616 push offset aIndexFile ; "Index file=" .text:0041C61B push dword ptr [ebx+0D4h] .text:0041C621 call sub_41CC27

// sub_41CC27 .text:0041CC35 mov ebx, 400h // 1024 bytes ... .text:0041CC54 sub edi, ecx .text:0041CC56 push ebx ; size_t .text:0041CC57 mov eax, ecx .text:0041CC59 mov esi, edi .text:0041CC5B mov edi, [ebp-10h] .text:0041CC5E push dword ptr [ebp+10h] ; char * .text:0041CC61 shr ecx, 2 .text:0041CC64 rep movsd .text:0041CC66 mov ecx, eax .text:0041CC68 and ecx, 3 .text:0041CC6B rep movsb .text:0041CC6D push dword ptr [ebp-10h] ; char * .text:0041CC70 call ds:strncat

  vulnerable program uses strncat() to copying tags. it looks like:

... strncat(aIndexFile, ebx+0D4, 1024); ...

/ \ Microsoft coders codes so secure code. Keep continue coding like this. / \

/ PoC: \ Proof of Concept code can be downloaded from http://eagle.blacksecurity.org

/ Greets: \ rst/ghc { ed, uf0, fost }, uKt { choix, nekd0, payhash, antq }, blacksecurity { #black } , 0x557 { kaka, swan, sam, nolife }, sowhat, tty64 { izik }; / \ / (c) 2004 [-] 2006 \ */