Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Windows winhlp32.exe Heap Overflow Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
Date: 27 Dec 2004 10:37:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

There is a vulnerability in Microsoft Windows .hlp file parsing program 
winhlp32.exe. The vulnerability is caused due to a decoding error within 
the windows .hlp header processing. This can be exploited to cause a 
heap-based buffer overflow.

DETAILS

Vulnerable Systems:
 * Windows NT
 * Windows 2000 SP0
 * Windows 2000 SP1
 * Windows 2000 SP2
 * Windows 2000 SP3
 * Windows 2000 SP4
 * Windows XP SP0
 * Windows XP SP1
 * Windows 2003
 * Windows XP SP2

If the help file is phrase compressed, it contains an internal file named 
phrases. The table header of the phrases table is located at offset 0x19 
in the .hlp file and its file structure includes:

unsigned short wNumberOfPhrases;
unsigned short wOneHundred; 0x0100;
long decompressedsize;

The phrases table header is followed by the phrases table itself. Each 
phrase occupies 2 bytes, which is unsigned short type.
The function of 0100A1EF has 3 parameters. The 3rd parameter is pointed to 
the phrases table header. The second one is pointed to a heap memory, 
which is used for saving phrases data. But, during calculating data 
length, there is not sufficient check of the data length. This can be 
exploited by using a malformed .hlp file to cover the heap memory which is 
pointed by the second
parameter.
The analysis for the function of 0100A1EF is as follows:
0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp
text:0100A1EF
text:0100A1EF arg_0 = dword ptr 4
text:0100A1EF arg_4 = dword ptr 8
text:0100A1EF arg_8 = dword ptr 0Ch
text:0100A1EF
text:0100A1EF mov eax, [esp+arg_8] ;arg_8 pointed to phrase table header
text:0100A1F3 push ebx
text:0100A1F4 push esi
text:0100A1F5 push edi
text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred
text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase table
text:0100A1FD mov eax, [esp+0Ch+arg_0] ;the following calculates the 
offset of phrase table
text:0100A201 sub eax, edx
text:0100A203 mov ebx, [esp+0Ch+arg_4]
text:0100A207 mov edi, eax
text:0100A209 shr eax, 1
text:0100A20B and edi, 1
text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1
text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2
text:0100A217 sub esi, edx
text:0100A219 add ecx, edx
text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1
text:0100A21C push ecx ; void *
text:0100A21D push ebx ; void * ;ebx -> No.2 pointer, to heap memory
text:0100A21E call ds:memmove

Two vulnerabilities exist in this code:
1. An Integer bufferoverflow, size = phrase_offset2 - phrase_offset1 if 
phrase_offset2 less than phrase_offset1 the size will be negative number 
and then memmove use this negative number size for memory copy cause of 
the heap overflow.

2. The allocated heap size depends on a item of phrase table not the 
phrasesEndOffset-phrasesHeadOffset size so if we changed the 
phrasesEndOffset size and will cause another heap overflow here.

Proof of Concept Code:
Proof of concept code for these vulnerabilities can be found here:
 <http://www.xfocus.net/flashsky/icoExp/search.hlp> Heap Overflow demo
 <http://www.xfocus.net/flashsky/icoExp/search1.hlp> Integer Buffer 
overflow demo


ADDITIONAL INFORMATION

The information has been provided by  <mailto:flashsky@xfocus.org> 
Flashsky.
The original article can be found at:  
<http://www.xfocus.net/articles/200412/766.html> 
http://www.xfocus.net/articles/200412/766.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Windows winhlp32.exe Heap Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [EXPL] Crystal FTP Pro Client LIST Proof of Concept, SecuriTeam
Next by Date:  [EXPL] Missing DAC controls in sys_chown() on Linux., SecuriTeam
Previous by Thread:  [EXPL] Crystal FTP Pro Client LIST Proof of Concept, SecuriTeam
Next by Thread:  [EXPL] Missing DAC controls in sys_chown() on Linux., SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]