Ads eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow Thursday, 16 June 2005 Systems Affected: Windows 98 / 98 SE Windows Me Windows 2000 Service Pack 3 / Service Pack 4 Windows XP Service Pack 1 / Service Pack 2 Windows XP 64-Bit Itanium SP 1 Windows XP 64-Bit Itanium 2003 Windows XP Professional x64 Edition Windows 2003 Server / Service Pack 1 Windows 2003 for Itanium / Service Pack 1 Windows 2003 x64 Edition Overview: eEye Digital Security has discovered a vulnerability in the way various versions of Windows handle Windows Help (.CHM) files. If exploited, this vulnerability allows arbitrary code to be executed by the remote attacker. A malicious .CHM file can be opened by Internet Explorer without user interaction by using the "ms-its" protocol specification; for example: ms-its:\server\file.chm:/label.htm This vulnerability affects any application that uses the Windows Help component of Internet Explorer internally. Technical Details: A CHM file can be specially crafted in order to cause a heap overflow, leading to one of the following exploitable situations: (1) 1A40C0DD call dword ptr [ecx+18h] : we can control ECX, EAX points to our buffer (2) 717AA58C call dword ptr [ecx+4] : we can control ECX, EAX points to our buffer (3) 77F8C7A9 mov dword ptr [ecx],eax : we can control ECX and EAX, EDI points to our buffer This heap overflow is caused by an integer overflow in a size field. Specifying a very high DWORD value (e.g., 0xFFFFFFFD) in this field will cause a buffer overflow and an excessive memory copy that overwrites all contiguous heap memory and eventually reaches a page boundary. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Protection defends against this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx Credit: Discovery: Yuji Ukai Related Links: Retina Network Security Scanner - Free 15 Day Trial http://www.eeye.com/html/products/retina/download/index.html Retina Network Security Scanner - Japanese Edition http://www.sse.co.jp/eeye/index.html Greetings: SSE Retina Team, All attendees of the workshop at Triton Square, WAIGAYA@Ichigaya   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.