Microsoft Windows winhlp32.exe 堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1108388 漏洞类型 边界条件错误
发布时间 2004-12-23 更新时间 2006-04-24
CVE编号 CVE-2004-1306 CNNVD-ID CNNVD-200412-244
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/25049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-244
|漏洞详情
MicrosoftWindows是一款商业视窗操作系统。MicrosoftWindowswinhlp32.exe在解析.hlp文件的时候存在着一个堆溢出,远程攻击者可以利用这个漏洞可能以用户进程权限在系统上执行任意指令。当hlp文件是以分段来进行压缩的,他包含一个以phrase命名的内部文件,这个phrase文件由一个phrase表头和多个phrase表组成,phrase的表头处于.hlp文件的偏移0x19处,结构定义如下:unsignedshortwNumberOfPhrases;unsignedshortwOneHundred;0x0100;longdecompressedsize;phrases表头后面立即跟着phrases表,每个phrases表项占4个字节,2个字段phrasesHeadOffset和phrasesEndOffset,分别都是即unsignedshort类型。代表phrases的头尾的偏移。处理phrases表的函数具有3个参数(在中文2000sp4上该函数的地址是0x0100A1EF),其中第3个参数为指向phrases表头的指针,第2个参数指向一个堆内存,用于保存phrases数据.但是在计算数据长度时并没有判断数据长度是否合法,这就导致可以构造一个.HLP,可以覆盖由第2个参数所指向的堆内存。以下是对该函数的分析:0100A1EFsub_100A1EFprocnear;CODEXREF:sub_100A14C+6Fp.text:0100A1EF.text:0100A1EFarg_0=dwordptr4.text:0100A1EFarg_4=dwordptr8.text:0100A1EFarg_8=dwordptr0Ch.text:0100A1EF.text:0100A1EFmoveax,[esp+arg_8];arg_8指向phrase表头.text:0100A1F3pushebx.text:0100A1F4pushesi.text:0100A1F5pushedi.text:0100A1F6movzxedx,wordptr[eax+2];[eax+2]->wOneHundred.text:0100A1FAmovecx,[eax+0Ch];[eax+0Ch]->phrase表.text:0100A1FDmoveax,[esp+0Ch+
|漏洞EXP
source: http://www.securityfocus.com/bid/12091/info

Microsoft Windows is prone to an integer overflow vulnerability. This issue exists in 'winhlp32.exe' and is exposed when a malformed phrase compressed Windows Help file (.hlp) is processed by the program.

Successful exploitation may allow execution of arbitrary code in the context of the user that opens the malicious Help file. The Help file may originate from an external or untrusted source, so this vulnerability is considered remote in nature. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/25049.gz
|参考资料

来源:XF
名称:win-winhlp32-bo(18678)
链接:http://xforce.iss.net/xforce/xfdb/18678
来源:www.xfocus.net
链接:http://www.xfocus.net/flashsky/icoExp/
来源:BID
名称:12092
链接:http://www.securityfocus.com/bid/12092
来源:BUGTRAQ
名称:20041223MicrosoftWindowswinhlp32.exeHeapOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110383690219440&w=2
来源:NSFOCUS
名称:7292
链接:http://www.nsfocus.net/vulndb/7292