Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

HyperTerminal - Buffer Overflow In .ht File

from [Brett Moore] Network Security [Permanent Link]
Subject: HyperTerminal - Buffer Overflow In .ht File
Date: Wed, 15 Dec 2004 12:00:06 +1300 
========================================================================
= HyperTerminal - Buffer Overflow In .ht File
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
=
= Affected Software:
=      Microsoft Windows NT Server 4.0 SP 6a
=      Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
=      Microsoft Windows 2000 SP4
=      Microsoft Windows XP SP2
=      Microsoft Windows XP 64-Bit Edition SP1
=      Microsoft Windows XP 64-Bit Edition Version 2003
=      Microsoft Windows Server 2003
=      Microsoft Windows Server 2003 64-Bit Edition
=
= Public disclosure on December 15, 2004
========================================================================

== Overview ==

When thinking about buffer overflow vulnerabilities, a file can sometimes
be as harmful as a packet. Even though past security issues have taught
us that it is unwise to use a string from a file/packet without first
checking its length, this is what happened here.

HyperTerminal will save sessions as files with the extension of .ht which
will contain the connection info for the current session. It is then
possible to have the connection restarted by loading or executing the
saved session file.

Through the creation of a corrupt .ht file, it is possible to gain
control of EIP and execute arbitrary code.

== Exploitation ==

It appears that a section of the heap, that is overwritten with the
corrupt file, contains a lookup table that is later used through a
CALL [ECX+374] instruction.

This allows for exploitation even on systems like XP SP2, as the
stack/heap protection does not come into play.

Basic exploitation can be achieved through sending the target user the
corrupt file. Once the file is opened, and HyperTerminal is closed any
arbitrary code will be executed.

Remote exploitation through Internet Explorer can be obtained through the
use of an iframe or other similar object to open a file from a public
UNC share or through a 'coupled' browser exploit that saves the file to
a known location before opening it. If HyperTerminal is the current
default telnet handler, Internet Explorer will automatically open the
corrupt file, leading to exploitation.

There did appear to be some URL manipulation that caused the \ character
to be altered, preventing the use of the UNC share, but this filtering
could be prevented by the use of another valid URL character.

== Solutions ==

- Install the vendor supplied patch.
- Remove the HyperTerminal application.

== Credit ==

Discovered and advised to Microsoft July 15, 2004 by Brett Moore of
Security-Assessment.com

%-) Merry Xmas guys, Ceaser, Ollie, R and the unconventional, Dave,
%-) K2 and the convers crew, DarkSpyrit and the whole eEye team.

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

######################################################################
CONFIDENTIALITY NOTICE:

This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################

--
Editor's Note: The 43rd Most Powerful Person in Networking says...

Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.

Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.

--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • HyperTerminal - Buffer Overflow In .ht File, Brett Moore <=
Previous by Date:  [VulnWatch] Hotmail Cross-Site Scripting Vulnerability #1, Rafel Ivgi, The-Insider
Next by Date:  [VulnWatch] Hotmail Cross Site Scripting Vulnerability #2, Rafel Ivgi
Previous by Thread:  [VulnWatch] Hotmail Cross-Site Scripting Vulnerability #1, Rafel Ivgi, The-Insider
Next by Thread:  [VulnWatch] Hotmail Cross Site Scripting Vulnerability #2, Rafel Ivgi
Indexes:  [Date] [Thread] [Top] [All Lists]