[12882] in bugtraq
Re: Local user can fool another to run executable. .CNT/.GID/.HLP
daemon@ATHENA.MIT.EDU (David LeBlanc)
Wed Dec 8 13:06:14 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.19991207110307.03f904a0@mail.mindspring.com>
Date: Tue, 7 Dec 1999 11:03:07 -0800
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Pauli Ojanpera <pauli_ojanpera@HOTMAIL.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991207075545.19474.qmail@hotmail.com>
At 08:55 AM 12/7/99 CET, Pauli Ojanpera wrote:
>If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can
>change a topic action to run an executable instead of viewing
>help for that topic. When victim user uses help system and chooses
>the infected topic, help system runs an executable from path.
I don't think you have to delete the .gid file for this to happen - it is
just an index for the find feature. I used to write help systems, and am
very familiar with what can be done from a help system. .hlp and .cnt
files can both be used in a number of ways to make system calls and to
execute arbitrary binaries, as well as call into DLLs. I can also call one
.hlp file from another, and IIRC, can call more than one .hlp file from a
given .cnt file (which is a text file and easily edited).
If you have a multi-user system, you need to secure all .hlp and .cnt files
the same as you would .exe files. If you're worried about .gid files, open
the associated .hlp file, choose 'find', create the database, and then
secure it.
>BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size
>is ~256 bytes. I think it triggers when the created
>.GID file is opened.
I think that this may be the same bug as David Litchfield reported some
time ago, and which was fixed a while back. Could you or David please
confirm whether it is the same bug or not?
David LeBlanc
dleblanc@mindspring.com
