Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11358
HistoryFeb 10, 2006 - 12:00 a.m.

vuln & p0c

2006-02-1000:00:00
vulners.com
8

\*
/ Unl0ck Research Team Security Advisory
\
/ product: HTML Help Workshop (1994-1999)
\ bug : stack overflow
/ vendor : Microsoft Corp. (http://microsoft.com)
\ date : 08.02.06
/ author : darkeagle
\

/ Info:
\ stack based buffer overflow was founded in HTML HW.
/ HTML HW crashes when user opens specially crafted .hhp file.
\

/ Details:
\ HTML HW using "wsprintfA" procedure to copying tag's arguments.
/ the man who's nickname is "bratax" released an advisory about
\ one bug in HTML HW. his bug was about incorrectly parsing of
/ "Contents file" tag.
\ next bug is about incorrectly parsing of "Compiled file" tag.
/ Specially crafted .hhp file with long "Compiled file" argument
\ can crashes HTML HW (or executes code).

/// USER32.wsprintfA uses
0041C5BF |. 50 PUSH EAX
0041C5C0 |. 68 B8964300 PUSH hhw.004396B8 ; ASCII "Compiled file="
0041C5C5 |. FFB3 D4000000 PUSH DWORD PTR DS:[EBX+D4]
0041C5CB |. E8 57060000 CALL hhw.0041CC27

/ PoC:
\ Proof of Concept code can be downloaded from http://eagle.blacksecurity.org

/ Greets:
\ rst/ghc { ed, uf0, fost },
uKt { choix, nekd0, payhash, antq },
blacksecurity { #black } ,
0x557 { kaka, swan, sam, nolife },
sowhat, tty64 { izik };
/
\
/ (c) 2004 [-] 2006
\
*/