It looks like you're new here. If you want to get involved, click one of these buttons!
===[ ABSTRACT ]=========================================================It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allowremote attacker to run arbitrary command.Additionally, there is a stack overflow vulnerability in winhlp32.exe. ===[ AFFECTED SOFTWARE ]================================================Windows XP SP3NOT AFFECTED: Vista, Windows 7===[ DESCRIPTION ]======================================================To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed. Syntax of MsgBox function:MsgBox(prompt[,buttons][,title][,helpfile,context])It is possible to pass remote samba share as helpfile parameter.In addition there is a stack based buffer overflow when helpfileparameter is too long. However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack. Proof-of-Concept is available here:http://isec.pl/poc-isec27/===[ IMPACT ]===========================================================Score: MEDIUMThe vulnerability allows remote attacker to run arbitrary code onvictim machine. ===[ DISCLOSURE TIMELINE ]==============================================01 Feb 2007 The vulnerability was discovered.26 Feb 2010 Public disclosure===[ AUTHOR ]===========================================================Maurycy Prodeus | twitter.com/mprodeus