lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <443FD154.6090805@digitalmunition.com>
Date: Fri Apr 14 17:44:23 2006
From: kf_lists at digitalmunition.com (KF (lists))
Subject: info about recent Ms issue

http://www.open-security.org/advisories/15

/*
 *****************************************************************************************************************
  $ An open security advisory #15 - Windows Help Heap Overflow
 *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
  2: Bug Released: March 31st 2006
  3: Bug Impact Rate: Undefined
  4: Bug Scope Rate: Local / Remote in cases
 *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
 *****************************************************************************************************************

 Windows Help
 www.microsoft.com


 There is a heap based buffer overflow in the rendering engine of .hlp files in winhlp32.exe which will allow some
 attacker the possibility of modifying the internal structure of the process with a means to execute arbitrary and
 malicious code.

 By modifying the value of an image embedded within a .hlp file, (tested with ? image and [] button images) it is
 possible to trigger this bug and overflow a static buffer that is defined for data sections of the .hlp file. This
 grants the attacker with the ability to perform an overwrite of block(n) and the following blocks control data.

 I thought this was an april fools but it's a day too early :) Microsoft decide to reject this issue as Windows Help
 is a scriptable environment and as such should not be trusted, as a malicious person could add this said "script"
 to .hlp files which would execute "stuff" on the users system. Therefor I release this Heap Overflow as another
 untrustable issue with this Microsoft product.

 I met some Microsoft Security Auditor guys at Blackhat, Alex and some dude called Skylined --- sorry that I didnt
 mention this bug or the one in hh.exe and t3h ebUl.chm, I was selling out to get IDefense bug bounty, but alas it
 back fired. I could have done with $10000 but ho hum, you win some you loose some :-)

*/


-KF


snowmo@...ine.ie wrote:

> Hi,  I recently read an exploit for an MS issue in which the author 
> apologised to some people he had met at a sec. conference for not 
> disclosing the vulnerability at that time because he was holding out 
> for the iDefense bounty.
>   I can't find the exploit now and was wondering if anyone else had 
> read this and can point me in the right direction.
>
> thanks.
> Moe.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ