===[ ABSTRACT ]===
It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe. 


===[ AFFECTED SOFTWARE ]===
Windows XP SP3

NOT AFFECTED: Vista, Windows 7

===[ DESCRIPTION ]===

To trigger vulnerability some user interaction is needed. Victim has to 
press F1 when MsgBox popup is displayed. 

Syntax of MsgBox function:

MsgBox(prompt[,buttons][,title][,helpfile,context])


It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with 
/GS flag, which in this case effectively guard the stack. 

Proof-of-Concept is available here:
http://isec.pl/poc-isec27/

===[ IMPACT ]===
Score: MEDIUM

The vulnerability allows remote attacker to run arbitrary code on
victim machine.
 

===[ DISCLOSURE TIMELINE ]===
01 Feb 2007	The vulnerability was discovered.
26 Feb 2010	Public disclosure


===[ AUTHOR ]===
Maurycy Prodeus | twitter.com/mprodeus