Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT
From: jsherry () IDT NET (Jay Sherry)
Date: Tue, 7 Dec 1999 13:01:41 -0500


I tried this exploit on my machine. It does not work when you run the help
system topic. And microsoft must know about this because the Whats new in
Word 97 is not in the help file it is in the Wdman8.cnt file

On Tue, 7 Dec 1999, Pauli Ojanpera wrote:

Windows help system uses a HELPFILE.CNT file as table of contents
metafile for creating HELPFILE.GID which is needed to view table of contents
for HELPFILE.HLP.

If you delete previously created HELPFILE.GID and edit HELPFILE.CNT, you can
change a topic action to run an executable instead of viewing
help for that topic. When victim user uses help system and chooses
the infected topic, help system runs an executable from path.

Example:

- Delete C:\Program Files\Microsoft Office\Office\WDMAIN8.GID
(kill winhlp32.exe process if necessary)

- Edit C:\Program Files\Microsoft Office\Office\WDMAIN8.CNT
which is a text file. You should change the line which has
something like:

3 Word 97 new features=woidxWhatsNewInMicrosoftWord97 () wdnew8 hlp>REF

to read:

3 Word 97 new features=!EF("CMD.EXE","",1)

- Run WinWord and select Help|Contents from menubar.
- Find topic "Word 97 new features" and select it.
- You should see CMD.EXE to run.

BTW that :Title tag in .CNT files has a kind of buffer overflow. Buffer size
is ~256 bytes. I think it triggers when the created
.GID file is opened.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault