eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
Release Date:
June 14, 2005
Date Reported:
March 16, 2005
Severity:
High (Remote Code Execution)
Vendor:
Microsoft
Systems Affected:
Windows 98 / 98 SE
Windows Me
Windows 2000 Service Pack 3 / Service Pack 4
Windows XP Service Pack 1 / Service Pack 2
Windows XP 64-Bit Itanium SP 1
Windows XP 64-Bit Itanium 2003
Windows XP Professional x64 Edition
Windows 2003 Server / Service Pack 1
Windows 2003 for Itanium / Service Pack 1
Windows 2003 x64 Edition
Overview:
eEye Digital Security has discovered a vulnerability in the way various
versions of Windows handle Windows Help (.CHM) files. If exploited,
this vulnerability allows arbitrary code to be executed by the remote
attacker. A malicious .CHM file can be opened by Internet Explorer
without user interaction by using the "ms-its" protocol specification;
for example:
ms-its:\\server\\file.chm:/label.htm
This vulnerability affects any application that uses the Windows Help
component of Internet Explorer internally.
Technical Details:
A CHM file can be specially crafted in order to cause a heap overflow,
leading to one of the following exploitable situations:
(1) 1A40C0DD call dword ptr [ecx+18h] : we can control ECX, EAX points
to our buffer
(2) 717AA58C call dword ptr [ecx+4] : we can control ECX, EAX points
to our buffer
(3) 77F8C7A9 mov dword ptr [ecx],eax : we can control ECX and EAX,
EDI points to our buffer
This heap overflow is caused by an integer overflow in a size field.
Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will
cause a buffer overflow and an excessive memory copy that overwrites all
contiguous heap memory and eventually reaches a page boundary.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Protection defends against this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx
Credit:
Discovery: Yuji Ukai
Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/products/retina/download/index.html
Retina Network Security Scanner - Japanese Edition
http://www.sse.co.jp/eeye/index.html
Greetings:
SSE Retina Team, All attendees of the workshop at Triton Square,
WAIGAYA@Ichigaya
Copyright (c) 1998-2005 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@xxxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.