Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Moderately critical

Microsoft Windows HTML Help File Processing Vulnerability

-

Release Date:  2010-03-11    Last Update:  2013-03-26    Views:  7,194

Secunia Advisory SA38916

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


Eduardo Prado has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft Windows HTML Help File Processing Vulnerability

User Message
[+]

dallasii

RE: Microsoft Windows HTML Help File Processing Vulnerability
This reply has been minimised due to a negative Relevancy Score.
edubr2010 RE: Microsoft Windows HTML Help File Processing Vulnerability
Member 13th Mar, 2010 05:59
Score: 1
Posts: 3
User Since: 13th Mar 2010
System Score: N/A
Location: BR
Last edited on 13th Mar, 2010 05:59
sorry, but this is a totally different vulnerability. If they addressed it in this other advisory then it is a mistake. This "html help file processing" vulnerability here lies in a different help system, the HTML Help, not the old Win help. The vulnerability causes the incorrect CHM Help file to be loaded if it resides in the same directory the application requesting help starts in and has the same name. in the demonstration, I use Microsoft Notepad, so putting a notepad.chm file in the same directory of a TXT file will trigger the vuln when the user presses F1 key. Also notices it bypasses that file open prompt Windows displays upon opening unsafe files in remote netbios shares. in a local scenario the user only needs to press F1 key to get arbitrary code executed in the system. on a remote netbios share, the user needs to further click on a topic which causes javascript to be parsed in IE local machine zone. Since the Help window does not display a status bar or address bar the user can be tricked into thinking the help file is the legitim one located in the local disk, when actually it is not.
Was this reply relevant?
+1
-0
edubr2010 RE: Microsoft Windows HTML Help File Processing Vulnerability
Member 8th Mar, 2013 01:39
Score: 1
Posts: 3
User Since: 13th Mar 2010
System Score: N/A
Location: BR
*Important:*

Updated Advisory :

Not only the HTML Help Control (HHCTRL.OCX) is vulnerable but the programs that invokes it because both use relative paths and perform unsafe searches, searching for the help file, first in the directory the affected program started in (Working directory). Below are all the vectors on Windows XP SP3 :

This is the first code execution vulnerability to affect MS Notepad and the pioneer in the "insecure library loading" vulnerability because it uses the same technique, the difference is that here a CHM file is loaded instead of a DLL.


Below are: Vectors, safe type of file and the corresponding help file.


1) MS Notepad - Text documents (.TXT) - notepad.chm

2) Ms Data Access (oledb32.dll) - MS Data Link file (.UDL) - msdasc.chm

3) MS Help And Support Center (XP) - System Information file (.NFO) - msinfo32.chm

4) MS Clipboard Viewer - clipboard file (.CLP) - clipbrd.chm

5) MS Remote Desktop Connection Program - Remote Desktop Connection File (.RDP) - mstsc.chm

6) Hyper Terminal - Hyper Terminal file (.ht) - hypertrm.chm

The severity was changed to moderately critical thanks to a vulnerability in CHM files, discovered by Luigi Auriema. It is a Stack based buffer overflow that is triggered when the CHM file is invoked, so the user does not have to click help topics inside the CHM file.

For more information about this vulnerability please see :

http://aluigi.altervista.org/adv/chm_1-adv.txt



.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer