Microsoft Windows compiled Help (.CHM) integer overflow (CHM_DirChunkSize_Bo)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, IBM Security Host Protection for Servers (Unix), Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects a negative directory chunk size which can cause an integer overflow.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, RealSecure Server Sensor: XPU 24.11, IBM Security Host Protection for Servers (Unix): 2.2.2, Proventia-G 1.1 and earlier: XPU 24.11, Proventia Network IDS: XPU 24.11, Proventia Network MFS: XPU 1.50, Proventia Network IPS: XPU 1.50, IBM Security Host Protection for Desktops: 8.0.614.8, Proventia Server IPS for Linux technology: 1.0, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows Me, Microsoft Windows 2000: SP3, Microsoft Windows XP: SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server, Microsoft Windows XP: SP2, Microsoft Windows XP: SP1 x64 Itanium, Microsoft Windows XP: 2003 x64 Itanium, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow that can occur when handling specially-crafted compiled Help (.CHM) files. A remote attacker could exploit this vulnerability using a malicious Web page to trigger a heap-based buffer overflow, which would allow the attacker to execute arbitrary code and possibly gain complete control over a victim's system, if the attacker could persuade the victim to visit the malicious Web page.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-026. See References.

References

Microsoft Security Bulletin MS05-026
Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx

US-CERT Vulnerability Note VU#851869
Microsoft HTML Help vulnerable to integer overflow
http://www.kb.cert.org/vuls/id/851869

VulnWatch Mailing List, Tue Jun 14 2005 - 18:57:58 CDT
eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0062.html

ISS X-Force
Microsoft Windows compiled Help (.CHM) integer overflow
http://www.iss.net/security_center/static/20821.php

CVE
CVE-2005-1208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1208