Network Security: Detailed info on Bad string handling in hha.dll (HTML Help Workshop)?

Subject:	Bad string handling in hha.dll (HTML Help Workshop)?
Date:	Mon, 16 May 2005 15:33:09 -0500

Everyone:

Sorry I can't provide more details about this issue. I'm hoping one of the
technical folks that know how to identify and exploit a possible
vulnerability like this can help track down the specifics. It appears there
is some bad string handling in (what appears to be) hha.dll that is part of
the HTML Help Compiler (HHC.exe) and/or HTML Help Workshop (version
4.74.8702.0 on my system).  I'm not sure, but this might be a buffer overrun
and could be exploitable.

We use a tool to generate all the files necessary for the HHC to spit out a
resultant CHM file. The tool had a bug in it that spit out a file name that
was greater than MAX_PATH. The tool could not save the file. It failed
silently, but it added the path to the T.O.C. file that HHC uses.

When HHC went to compile, it tried to read the too-big file name and it
crashed with an access violation (0xc0000005 - Access Violation).

Here are some details:

VERSIONS
======================
OS: WinXP SP2
HHW: 4.74.8702.0
HHA: 4.74.8702.0
HHCTRL: 5.02.3790.1280
ITIRCL: 5.02.3790.1159
ITSS: 5.02.3790.1221

I was able to get Dr Watson to dump some interesting information, perhaps
this will help:


*----> State Dump for Thread Id 0x10d4 <----*

eax=00000000 ebx=00000000 ecx=ffffffff edx=45381228 esi=682e296e
edi=682e296e eip=4530f3fb esp=0012ec90 ebp=0012ecb0 iopl=0
nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 fl=00000246

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\HHA.dll -
function: HHA!Ordinal23
        4530f3e4 53               push    ebx
        4530f3e5 56               push    esi
        4530f3e6 8b74240c         mov     esi,[esp+0xc]
        4530f3ea 57               push    edi
        4530f3eb 85f6             test    esi,esi
        4530f3ed 7505             jnz     HHA!Ordinal23+0x10 (4530f3f4)
        4530f3ef bee4363645       mov     esi,0x453636e4
        4530f3f4 8bfe             mov     edi,esi
        4530f3f6 83c9ff           or      ecx,0xffffffff
        4530f3f9 33c0             xor     eax,eax
FAULT ->4530f3fb f2ae             repne   scasb

es:682e296e=??
        4530f3fd f7d1             not     ecx
        4530f3ff 51               push    ecx
        4530f400 e86b290300       call    HHA!Ordinal358+0x4d3 (45341d70)
        4530f405 59               pop     ecx
        4530f406 8bd0             mov     edx,eax
        4530f408 8bfe             mov     edi,esi
        4530f40a 83c9ff           or      ecx,0xffffffff
        4530f40d 33c0             xor     eax,eax
        4530f40f f2ae             repne   scasb
        4530f411 f7d1             not     ecx

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be
wrong.
ChildEBP RetAddr  Args to Child
0012ecb0 45315376 682e296e 00000000 0012eef8 HHA!Ordinal23+0x17
0012ed1c 4531beaa 682e296e 0012ed3c 00000000 HHA!Ordinal315+0x1d
0012ef4c 4531e702 0012f3b4 00ca2c20 0012ef7c HHA!HHA_CompileHHP+0x36fe
006c6d74 00000013 00000000 7fffffff 00000000 HHA!HHA_CompileHHP+0x5f56

*----> Raw Stack Dump <----*
000000000012ec90  00 00 00 00 ec ec 12 00 - 00 00 00 00 aa 4c 31 45
000000000012eca0  6e 29 2e 68 00 00 00 00 - f8 ee 12 00 00 00 00 00
000000000012ecb0  1c ed 12 00 76 53 31 45 - 6e 29 2e 68 00 00 00 00
000000000012ecc0  f8 ee 12 00 14 f6 12 00 - a0 2d ca 00 00 00 00 00
000000000012ecd0  a0 2d ca 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000000012ece0  00 00 00 00 00 00 00 00 - 00 00 d5 77 e0 2c ca 00
000000000012ecf0  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
000000000012ed00  00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 31 45
000000000012ed10  80 ef 12 00 9c 21 36 45 - ff ff ff ff 4c ef 12 00
000000000012ed20  aa be 31 45 6e 29 2e 68 - 3c ed 12 00 00 00 00 00
000000000012ed30  20 2c ca 00 27 2c ca 00 - 18 f1 12 00 46 43 68 6f
000000000012ed40  69 63 65 2e 54 6f 6f 6c - 6b 69 74 73 2e 43 6c 61
000000000012ed50  72 69 66 79 7e 46 43 68 - 6f 69 63 65 2e 54 6f 6f
000000000012ed60  6c 6b 69 74 73 2e 43 6c - 61 72 69 66 79 2e 49 6e
000000000012ed70  74 65 72 66 61 63 65 73 - 2e 49 6e 74 65 72 66 61
000000000012ed80  63 65 73 54 6f 6f 6c 6b - 69 74 7e 43 72 65 61 74
000000000012ed90  65 51 75 65 75 65 28 53 - 74 72 69 6e 67 2c 42 6f
000000000012eda0  6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f
000000000012edb0  6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f
000000000012edc0  6f 6c 65 61 6e 2c 42 6f - 6f 6c 65 61 6e 2c 42 6f

I hope this helps someone.

Sincerely,
Chad Myers

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--

<Prev in Thread]	Current Thread	[Next in Thread>
Bad string handling in hha.dll (HTML Help Workshop)?, Chad Myers <=

Previous by Date:	[Full-disclosure] [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow, Gary O'leary-Steele
Next by Date:	Re: MS05-019 Breaks VPN, Darryl J Roberts
Previous by Thread:	[Full-disclosure] [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow, Gary O'leary-Steele
Next by Thread:	Re: MS05-019 Breaks VPN, Darryl J Roberts
Indexes:	[Date] [Thread] [Top] [All Lists]