Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buff

from [Steve Manzuik] Network Security [Permanent Link]
Subject: [VulnWatch] eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
Date: Tue, 14 Jun 2005 16:57:58 -0700 
EEYEB-20050316 - HTML Help File Parsing Buffer Overflow

Release Date:
June 14, 2005

Date Reported:
March 16, 2005

Severity:
High (Remote Code Execution)

Vendor:
Microsoft

Systems Affected:
Windows 98 / 98 SE
Windows Me
Windows 2000 Service Pack 3 / Service Pack 4
Windows XP Service Pack 1 / Service Pack 2
Windows XP 64-Bit Itanium SP 1
Windows XP 64-Bit Itanium 2003
Windows XP Professional x64 Edition
Windows 2003 Server / Service Pack 1
Windows 2003 for Itanium / Service Pack 1
Windows 2003 x64 Edition

Overview:
eEye Digital Security has discovered a vulnerability in the way various
versions of Windows handle Windows Help (.CHM) files.  If exploited,
this vulnerability allows arbitrary code to be executed by the remote
attacker.  A malicious .CHM file can be opened by Internet Explorer
without user interaction by using the "ms-its" protocol specification;
for example:

ms-its:\\server\\file.chm:/label.htm

This vulnerability affects any application that uses the Windows Help
component of Internet Explorer internally.


Technical Details:
A CHM file can be specially crafted in order to cause a heap overflow,
leading to one of the following exploitable situations:

(1) 1A40C0DD  call dword ptr [ecx+18h]  : we can control ECX, EAX points
to our buffer

(2) 717AA58C  call dword ptr [ecx+4]    : we can control ECX, EAX points
to our buffer

(3) 77F8C7A9  mov  dword ptr [ecx],eax  : we can control ECX and EAX,
EDI points to our buffer

This heap overflow is caused by an integer overflow in a size field.
Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will
cause a buffer overflow and an excessive memory copy that overwrites all
contiguous heap memory and eventually reaches a page boundary.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection defends against this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx

Credit:
Discovery: Yuji Ukai

Related Links:

Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html

Retina Network Security Scanner - Japanese Edition
http://www.sse.co.jp/eeye/index.html

Greetings:
SSE Retina Team, All attendees of the workshop at Triton Square,
WAIGAYA@Ichigaya

Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow, Steve Manzuik <=
Previous by Date:  [Full-disclosure] iDEFENSE Security Advisory 06.14.05: Microsoft Windows Interactive Training Buffer Overflow Vulnerability, iDEFENSE Labs
Next by Date:  [VulnWatch] High Risk Vulnerability in HTML Help (ITSS Parser), NGSSoftware Insight Security Research
Previous by Thread:  [Full-disclosure] iDEFENSE Security Advisory 06.14.05: Microsoft Windows Interactive Training Buffer Overflow Vulnerability, iDEFENSE Labs
Next by Thread:  [VulnWatch] High Risk Vulnerability in HTML Help (ITSS Parser), NGSSoftware Insight Security Research
Indexes:  [Date] [Thread] [Top] [All Lists]