|
Brought to you by:
Suppliers of:
|
|
|
| |
| There is a vulnerability in Microsoft Windows .hlp file parsing program winhlp32.exe. The vulnerability is caused due to a decoding error within the windows .hlp header processing. This can be exploited to cause a heap-based buffer overflow. |
| |
Credit:
The information has been provided by Flashsky.
The original article can be found at: http://www.xfocus.net/articles/200412/766.html
|
| |
Vulnerable Systems:
* Windows NT
* Windows 2000 SP0
* Windows 2000 SP1
* Windows 2000 SP2
* Windows 2000 SP3
* Windows 2000 SP4
* Windows XP SP0
* Windows XP SP1
* Windows 2003
* Windows XP SP2
If the help file is phrase compressed, it contains an internal file named phrases. The table header of the phrases table is located at offset 0x19 in the .hlp file and its file structure includes:
unsigned short wNumberOfPhrases;
unsigned short wOneHundred; 0x0100;
long decompressedsize;
The phrases table header is followed by the phrases table itself. Each phrase occupies 2 bytes, which is unsigned short type.
The function of 0100A1EF has 3 parameters. The 3rd parameter is pointed to the phrases table header. The second one is pointed to a heap memory, which is used for saving phrases data. But, during calculating data length, there is not sufficient check of the data length. This can be exploited by using a malformed .hlp file to cover the heap memory which is pointed by the second
parameter.
The analysis for the function of 0100A1EF is as follows:
0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp
.text:0100A1EF
.text:0100A1EF arg_0 = dword ptr 4
.text:0100A1EF arg_4 = dword ptr 8
.text:0100A1EF arg_8 = dword ptr 0Ch
.text:0100A1EF
.text:0100A1EF mov eax, [esp+arg_8] ;arg_8 pointed to phrase table header
.text:0100A1F3 push ebx
.text:0100A1F4 push esi
.text:0100A1F5 push edi
.text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred
.text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase table
.text:0100A1FD mov eax, [esp+0Ch+arg_0] ;the following calculates the offset of phrase table
.text:0100A201 sub eax, edx
.text:0100A203 mov ebx, [esp+0Ch+arg_4]
.text:0100A207 mov edi, eax
.text:0100A209 shr eax, 1
.text:0100A20B and edi, 1
.text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1
.text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2
.text:0100A217 sub esi, edx
.text:0100A219 add ecx, edx
.text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1
.text:0100A21C push ecx ; void *
.text:0100A21D push ebx ; void * ;ebx -> No.2 pointer, to heap memory
.text:0100A21E call ds:memmove
Two vulnerabilities exist in this code:
1. An Integer bufferoverflow, size = phrase_offset2 - phrase_offset1 if phrase_offset2 less than phrase_offset1 the size will be negative number and then memmove use this negative number size for memory copy cause of the heap overflow.
2. The allocated heap size depends on a item of phrase table not the phrasesEndOffset-phrasesHeadOffset size so if we changed the phrasesEndOffset size and will cause another heap overflow here.
Proof of Concept Code:
Proof of concept code for these vulnerabilities can be found here:
Heap Overflow demo
Integer Buffer overflow demo
|
|
|
|
|
