Dear Kazennov, Vladimir,
CHM Файл без любого переполнения буфера может выполнить код. Так что
фигня все это - опять как поломать самого себя.
--Wednesday, May 10, 2006, 4:24:33 PM, you wrote to
security-alerts@xxxxxxxxxxxxxx:
>>
>> TITLE:
>> Microsoft Windows "itss.dll" Heap Corruption Vulnerability
>>
>> SECUNIA ADVISORY ID:
>> SA20061
>>
>> VERIFY ADVISORY:
>>
>>
>> CRITICAL:
>> Less critical
>>
>> IMPACT:
>> System access
>>
>> WHERE:
>> From remote
>>
>> OPERATING SYSTEM:
>> Microsoft Windows 2000 Advanced Server
>>
>> Microsoft Windows 2000 Datacenter Server
>>
>> Microsoft Windows 2000 Professional
>>
>> Microsoft Windows 2000 Server
>>
>> Microsoft Windows XP Home Edition
>>
>> Microsoft Windows XP Professional
>>
>>
>> DESCRIPTION:
>> RubИn Santamarta has discovered a vulnerability in Microsoft Windows,
>> which potentially can be exploited by malicious people to compromise a
>> user's system.
>>
>> The vulnerability is caused due to a boundary error in the Infotech
>> Storage System Library (itss.dll) when reading a ".CHM" file. This
>> can be exploited to cause heap corruption and may allow arbitrary
>> code execution via a specially crafted ".CHM" file.
>>
>> Successful exploitation requires that the user is e.g. tricked in
>> opening or decompiling a malicious ".CHM" file using "hh.exe".
>>
>> The vulnerability has been confirmed in Windows XP SP2 (fully
>> patched) and also reported in Windows 2000 SP4. Other versions may
>> also be affected.
>>
>> NOTE: The CHM file format should be considered insecure and treated
>> similar to an executable file. However, this vulnerability is
>> triggered even when the user decompiles the file without opening it.
>>
>> SOLUTION:
>> The vulnerability will reportedly be fixed in the next Service Pack.
>>
>> Do not open or decompile untrusted ".CHM" files.
>>
>> PROVIDED AND/OR DISCOVERED BY:
>> RubИn Santamarta
>>
>> ORIGINAL ADVISORY:
>> ;
>> id=11&Itemid=1
>>
>>
--
~/ZARAZA
Итак, я буду краток. (Твен)
