It looks like you're new here. If you want to get involved, click one of these buttons!
===[ ABSTRACT ]=========================================================
It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.
===[ AFFECTED SOFTWARE ]================================================
Windows XP SP3
NOT AFFECTED: Vista, Windows 7
===[ DESCRIPTION ]======================================================
To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.
Syntax of MsgBox function:
MsgBox(prompt[,buttons][,title][,helpfile,context])
It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.
Proof-of-Concept is available here:
http://isec.pl/poc-isec27/
===[ IMPACT ]===========================================================
Score: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on
victim machine.
===[ DISCLOSURE TIMELINE ]==============================================
01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure
===[ AUTHOR ]===========================================================
Maurycy Prodeus | twitter.com/mprodeus