[12874] in bugtraq
Local user can fool another to run executable. .CNT/.GID/.HLP
daemon@ATHENA.MIT.EDU (Pauli Ojanpera)
Tue Dec 7 12:22:34 1999
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <19991207075545.19474.qmail@hotmail.com>
Date: Tue, 7 Dec 1999 08:55:45 CET
Reply-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
From: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Windows help system uses a HELPFILE.CNT file as table of contents
metafile for creating HELPFILE.GID which is needed to view table of contents
for HELPFILE.HLP.
If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can
change a topic action to run an executable instead of viewing
help for that topic. When victim user uses help system and chooses
the infected topic, help system runs an executable from path.
Example:
- Delete C:\Program Files\Microsoft Office\Office\WDMAIN8.GID
(kill winhlp32.exe process if necessary)
- Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT
which is a text file. You should change the line which has
something like:
3 Word 97 new features=woidxWhatsNewInMicrosoftWord97@wdnew8.hlp>REF
to read:
3 Word 97 new features=!EF("CMD.EXE","",1)
- Run WinWord and select Help|Contents from menubar.
- Find topic "Word 97 new features" and select it.
- You should see CMD.EXE to run.
BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size
is ~256 bytes. I think it triggers when the created
.GID file is opened.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
