[12880] in bugtraq
Re: Local user can fool another to run executable. .CNT/.GID/.HLP
daemon@ATHENA.MIT.EDU (Jay Sherry)
Wed Dec 8 12:53:31 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.10.9912071300300.22917-100000@u3.farm.idt.net>
Date: Tue, 7 Dec 1999 13:01:41 -0500
Reply-To: Jay Sherry <jsherry@IDT.NET>
From: Jay Sherry <jsherry@IDT.NET>
X-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991207075545.19474.qmail@hotmail.com>
I tried this exploit on my machine. It does not work when you run the help
system topic. And microsoft must know about this because the Whats new in
Word 97 is not in the help file it is in the Wdman8.cnt file
On Tue, 7 Dec 1999, Pauli Ojanpera wrote:
> Windows help system uses a HELPFILE.CNT file as table of contents
> metafile for creating HELPFILE.GID which is needed to view table of contents
> for HELPFILE.HLP.
>
> If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can
> change a topic action to run an executable instead of viewing
> help for that topic. When victim user uses help system and chooses
> the infected topic, help system runs an executable from path.
>
> Example:
>
> - Delete C:\Program Files\Microsoft Office\Office\WDMAIN8.GID
> (kill winhlp32.exe process if necessary)
>
> - Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT
> which is a text file. You should change the line which has
> something like:
>
> 3 Word 97 new features=woidxWhatsNewInMicrosoftWord97@wdnew8.hlp>REF
>
> to read:
>
> 3 Word 97 new features=!EF("CMD.EXE","",1)
>
> - Run WinWord and select Help|Contents from menubar.
> - Find topic "Word 97 new features" and select it.
> - You should see CMD.EXE to run.
>
> BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size
> is ~256 bytes. I think it triggers when the created
> .GID file is opened.
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
