Moderately critical

Microsoft Windows HTML Help File Processing Vulnerability

-

Release Date:  2010-03-11    Last Update:  2013-03-26    Views:  7,493

Secunia Advisory SA38916

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Description


Eduardo Prado has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of the Secunia VIM.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft Windows HTML Help File Processing Vulnerability

User Message
[+]

dallasii

RE: Microsoft Windows HTML Help File Processing Vulnerability
This reply has been minimised due to a negative Relevancy Score.
edubr2010 RE: Microsoft Windows HTML Help File Processing Vulnerability
Member 13th Mar, 2010 05:59
Score: 1
Posts: 3
User Since: 13th Mar 2010
System Score: N/A
Location: BR
Last edited on 13th Mar, 2010 05:59
sorry, but this is a totally different vulnerability. If they addressed it in this other advisory then it is a mistake. This "html help file processing" vulnerability here lies in a different help system, the HTML Help, not the old Win help. The vulnerability causes the incorrect CHM Help file to be loaded if it resides in the same directory the application requesting help starts in and has the same name. in the demonstration, I use Microsoft Notepad, so putting a notepad.chm file in the same directory of a TXT file will trigger the vuln when the user presses F1 key. Also notices it bypasses that file open prompt Windows displays upon opening unsafe files in remote netbios shares. in a local scenario the user only needs to press F1 key to get arbitrary code executed in the system. on a remote netbios share, the user needs to further click on a topic which causes javascript to be parsed in IE local machine zone. Since the Help window does not display a status bar or address bar the user can be tricked into thinking the help file is the legitim one located in the local disk, when actually it is not.
Was this reply relevant?
+1
-0
edubr2010 RE: Microsoft Windows HTML Help File Processing Vulnerability
Member 8th Mar, 2013 01:39
Score: 1
Posts: 3
User Since: 13th Mar 2010
System Score: N/A
Location: BR
*Important:*

Updated Advisory :

Not only the HTML Help Control (HHCTRL.OCX) is vulnerable but the programs that invokes it because both use relative paths and perform unsafe searches, searching for the help file, first in the directory the affected program started in (Working directory). Below are all the vectors on Windows XP SP3 :

This is the first code execution vulnerability to affect MS Notepad and the pioneer in the "insecure library loading" vulnerability because it uses the same technique, the difference is that here a CHM file is loaded instead of a DLL.


Below are: Vectors, safe type of file and the corresponding help file.


1) MS Notepad - Text documents (.TXT) - notepad.chm

2) Ms Data Access (oledb32.dll) - MS Data Link file (.UDL) - msdasc.chm

3) MS Help And Support Center (XP) - System Information file (.NFO) - msinfo32.chm

4) MS Clipboard Viewer - clipboard file (.CLP) - clipbrd.chm

5) MS Remote Desktop Connection Program - Remote Desktop Connection File (.RDP) - mstsc.chm

6) Hyper Terminal - Hyper Terminal file (.ht) - hypertrm.chm

The severity was changed to moderately critical thanks to a vulnerability in CHM files, discovered by Luigi Auriema. It is a Stack based buffer overflow that is triggered when the CHM file is invoked, so the user does not have to click help topics inside the CHM file.

For more information about this vulnerability please see :

http://aluigi.altervista.org/adv/chm_1-adv.txt



.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.