mailing list archives
Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT
From: mnemonix () GLOBALNET CO UK (Mnemonix)
Date: Mon, 8 Nov 1999 03:10:24 -0000
----- Original Message -----
From: "Pauli Ojanpera" <pauli_ojanpera () HOTMAIL COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, December 07, 1999 8:55 AM
Subject: Local user can fool another to run executable. .CNT/.GID/.HLP
Windows help system uses a HELPFILE.CNT file as table of contents
metafile for creating HELPFILE.GID which is needed to view table of
BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer
is ~256 bytes. I think it triggers when the created
.GID file is opened.
There are many issues like this with the Windows Helps system. I spoke to
Dave LeBlanc (@microsoft) about this same issue a few months back and as he
rightly states .hlp (or.cnt or gid) = = .exe .
You can create help files (.hlp) that will exec any program with options you
want as soon as you click on a .hlp file. There are a number of macros you
can use to do this such as ExecFile() macro - there are about five or seven.
As far as the buffer overrun is concerned this was discovered and reported
to Microsoft and they have addressed the problem. Microsoft's advisory about
this can be found at
http://www.microsoft.com/security/bulletins/ms99-015.asp and my original
analysis of the overrun can be found at
As far as the newer HTML help system is concerned (HH.EXE) pretty much most
of the "execfile" macro functionality has been removed. It is still possible
however to get HH.EXE to exec a program without the user's intervention
other than clicking on a chm file. You can use a macro within the HH ActiveX
and then use the meta refresh tag in the HTML page to do this so when the
chm file is opened the page is refreshed and the program is exec'd.
Fortunately the macro used to do this is only "usable" from local chm files
and not remote webpages that use the ActiveX control supplied onWin98 boxes.