[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] info about recent Ms issue
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] info about recent Ms issue
- From: "KF (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 14 Apr 2006 12:44:04 -0400
http://www.open-security.org/advisories/15
/*
*****************************************************************************************************************
$ An open security advisory #15 - Windows Help Heap Overflow
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
2: Bug Released: March 31st 2006
3: Bug Impact Rate: Undefined
4: Bug Scope Rate: Local / Remote in cases
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial
gain.
*****************************************************************************************************************
Windows Help
www.microsoft.com
There is a heap based buffer overflow in the rendering engine of .hlp files in
winhlp32.exe which will allow some
attacker the possibility of modifying the internal structure of the process
with a means to execute arbitrary and
malicious code.
By modifying the value of an image embedded within a .hlp file, (tested with ?
image and [] button images) it is
possible to trigger this bug and overflow a static buffer that is defined for
data sections of the .hlp file. This
grants the attacker with the ability to perform an overwrite of block(n) and
the following blocks control data.
I thought this was an april fools but it's a day too early :) Microsoft decide
to reject this issue as Windows Help
is a scriptable environment and as such should not be trusted, as a malicious person
could add this said "script"
to .hlp files which would execute "stuff" on the users system. Therefor I
release this Heap Overflow as another
untrustable issue with this Microsoft product.
I met some Microsoft Security Auditor guys at Blackhat, Alex and some dude
called Skylined --- sorry that I didnt
mention this bug or the one in hh.exe and t3h ebUl.chm, I was selling out to
get IDefense bug bounty, but alas it
back fired. I could have done with $10000 but ho hum, you win some you loose
some :-)
*/
-KF
snowmo@xxxxxxxxx wrote:
Hi, I recently read an exploit for an MS issue in which the author
apologised to some people he had met at a sec. conference for not
disclosing the vulnerability at that time because he was holding out
for the iDefense bounty.
I can't find the exploit now and was wondering if anyone else had
read this and can point me in the right direction.
thanks.
Moe.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/