PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
Advisory ID: ZSL-2009-4910
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 29.03.2009
Exploit coded by Gjoko Krstic - <gjoko@zeroscience.mk>
[2] http://securityreason.com/exploitalert/5943
[3] http://packetstormsecurity.org/filedesc/powerchm57-overflow.txt.html
[4] http://www.securityfocus.com/bid/34263
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2009-4910
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 29.03.2009
Summary
With PowerCHM you can create your CHM files automatically from Html Files (including .htm, .html and .mht), Text Files (.txt), Microsoft Word Documents (.doc) and Adobe Acrobat Document (.pdf).Description
The vulnerability is caused due to a boundary error when processing overly long filenames. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening an HTML Help Project (".HHP") file having an overly long "[FILES]" entry or into clicking an overly long link included in an imported HTML file. Successful exploitation may allow execution of arbitrary code.Vendor
Dawningsoft Inc. - http://www.dawningsoft.comAffected Version
5.7Tested On
Microsoft Windows XP Professional SP2 (English)Vendor Status
N/APoC
powerchm_bof.plCredits
Vulnerability discovered by Le Duc Anh from Bkis SecurityExploit coded by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.milw0rm.com/exploits/8301[2] http://securityreason.com/exploitalert/5943
[3] http://packetstormsecurity.org/filedesc/powerchm57-overflow.txt.html
[4] http://www.securityfocus.com/bid/34263
Changelog
[29.03.2009] - Initial releaseContact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
