Windows NT Help File Attack Reported December 7, 1999 by Pauli Ojanpera
VERSIONS AFFECTED
DESCRIPTION
Windows help system uses a HELPFILE.CNT file as
table of contents
metafile for creating HELPFILE.GID which is needed to view table of contents for
HELPFILE.HLP.
If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can change a
topic action to run an executable instead of viewing help for that topic. When victim user
uses help system and chooses the infected topic, help system runs an executable from path.
BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size
is ~256 bytes. I think it triggers when the created
.GID file is opened.
DEMONSTRATION
1) Delete C:\Program Files\Microsoft
Office\Office\WDMAIN8.GID
(kill winhlp32.exe process if necessary)
2) Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT
which is a text file. You should change the line which has
something like:
3) 3 Word 97 new [email protected]>REF
to read:
3 Word 97 new features=!EF("CMD.EXE","",1)
4) Run WinWord and select Help|Contents from menubar.
5) Find topic "Word 97 new features" and select it.
6) You should see CMD.EXE to run.
DEFENSE
David LeBlanc commented on BugTraq:
"I don"t think you have to delete the .gid file for
this to happen - it is
just an index for the find feature. I used to write help systems, and am very familiar
with what can be done from a help system. .hlp and .cnt files can both be used in a number
of ways to make system calls and to execute arbitrary binaries, as well as call into DLLs.
I can also call one .hlp file from another, and IIRC, can call more than one .hlp file
from a given .cnt file (which is a text file and easily edited).
If you have a multi-user system, you need to secure all .hlp and .cnt files the same as
you would .exe files. If you"re worried about .gid files, open the associated .hlp file,
choose "find", create the database, and then secure it."
VENDOR RESPONSE
Microsoft is aware of this issue,
however no official comments have come forth to date.
CREDITS Discovered by Pauli Ojanpera
|