Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: hack7645.htm

Microsoft Windows winhlp32.exe Heap Overflow vuln



Microsoft Windows winhlp32.exe Heap Overflow Vulnerability



Venustech AD-Lab       

www.venustech.com.cn 



[Security Advisory]

    

    

Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability

Class: Design Error

DATE:12/20/2004

Remote: Yes

 

Vulnerable:

 Windows NT 

 Windows 2000 SP0

 Windows 2000 SP1

 Windows 2000 SP2

 Windows 2000 SP3

 Windows 2000 SP4

 Windows XP SP0

 Windows XP SP1

 Windows 2003

 Windows XP SP2

Unvulnerable:

        UnKnow

Vendor:

www.microsoft.com 

 



I.DESCRIPTION: 

-------------

 

There is a vulnerability in Microsoft Windows .hlp file parsing program winhlp32.exe.

The vulnerability is caused due to a decoding error within the windows .hlp header 

processing.This can be exploited to cause a heap-based buffer overflow. 

 



II.DETAILS:

----------

 

If the help file is phrase compressed, it contains an internal file named phrases. 

The table header of phrases table is located at offset 0x19 in the .hlp file 

and its file structure includes:

 

unsigned short wNumberOfPhrases;

unsigned short wOneHundred;  0x0100;

long decompressedsize;

 

The phrases table header is right followed by phrases talbe, and each phrase 

occupies 2 bytes, which is unsigned short type.

 

The function of 0100A1EF has 3 parameters. The 3rd parameter is pointed to 

the phrases table header. The second one is pointed to a heap memory, which 

is used for saving phrases data. But, during calculating data length, there is 

not sufficient check of the data length. This can be exploited by using a 

malformed .hlp file to cover the heap memory which is pointed by the second

parameter.

 

The analysis for the function of 0100A1EF is as follows:

 

0100A1EF sub_100A1EF     proc near               ; CODE XREF: sub_100A14C+6Fp

.text:0100A1EF

.text:0100A1EF arg_0           = dword ptr  4

.text:0100A1EF arg_4           = dword ptr  8

.text:0100A1EF arg_8           = dword ptr  0Ch

.text:0100A1EF

.text:0100A1EF                 mov     eax, [esp+arg_8]    ;arg_8 pointed to phrase table header

.text:0100A1F3                 push    ebx

.text:0100A1F4                 push    esi

.text:0100A1F5                 push    edi

.text:0100A1F6                 movzx   edx, word ptr [eax+2]   ;[eax+2] -> wOneHundred

.text:0100A1FA                 mov     ecx, [eax+0Ch]    ;[eax+0Ch] -> phrase table

.text:0100A1FD                 mov     eax, [esp+0Ch+arg_0]   ;the following calculates the offset of phrase table

.text:0100A201                 sub     eax, edx

.text:0100A203                 mov     ebx, [esp+0Ch+arg_4]

.text:0100A207                 mov     edi, eax

.text:0100A209                 shr     eax, 1

.text:0100A20B                 and     edi, 1

.text:0100A20E                 movzx   edx, word ptr [ecx+eax*2]  ;phrase_offset1

.text:0100A212                 movzx   esi, word ptr [ecx+eax*2+2]  ;phrase_offset2

.text:0100A217                 sub     esi, edx

.text:0100A219                 add     ecx, edx

.text:0100A21B                 push    esi             ; size_t   ;size = phrase_offset2 - phrase_offset1

.text:0100A21C                 push    ecx             ; void *

.text:0100A21D                 push    ebx             ; void *   ;ebx -> No.2 pointer, to heap memory

.text:0100A21E                 call    ds:memmove

 

There are 2 vulns here:

1. A Integer bufferoverflow, size = phrase_offset2 - phrase_offset1if phrase_offset2 less than phrase_offset1 the

size will be negative number and then memmove use this negative number size for memory copye cause of 

the heap overflow.

 

2. The allocated heap size depends on a item of phrase table not the phrasesEndOffset-phrasesHeadOffset size

so if we changed the phrasesEndOffset size and will cause another heap overflow here.

 

More details and POC at http://www.xfocus.net/flashsky/icoExp/index.html . 

 



III.CREDIT: 

----------

 

Keji(yu_keji@venustech.com.cn) discovery this vuln:) 

Vulnerability analysis and advisory by Keji,Flashsky and icbm.

Special thanks to "Fengshou" project members and all Venustech AD-Lab guys:P

 

V.DISCLAIMS:

-----------

 

The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 

 

Copyright 1996-2004 VENUSTECH. All Rights Reserved. Terms of use.

 

VENUSTECH Security Lab 

VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) 

 

          Security

Trusted  {Solution} Provider

          Service


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH