Windows XP IE8,7 HLP file vulnerability

2010.03.06
Risk: High
Local: No
Remote: Yes

===[ ABSTRACT ]=== It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe. ===[ AFFECTED SOFTWARE ]=== Windows XP SP3 NOT AFFECTED: Vista, Windows 7 ===[ DESCRIPTION ]=== To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed. Syntax of MsgBox function: MsgBox(prompt[,buttons][,title][,helpfile,context]) It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack. Proof-of-Concept is available here: http://isec.pl/poc-isec27/ ===[ IMPACT ]=== Score: MEDIUM The vulnerability allows remote attacker to run arbitrary code on victim machine. ===[ DISCLOSURE TIMELINE ]=== 01 Feb 2007 The vulnerability was discovered. 26 Feb 2010 Public disclosure ===[ AUTHOR ]=== Maurycy Prodeus | twitter.com/mprodeus

References:

http://xforce.iss.net/xforce/xfdb/56560
http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/
http://www.securityfocus.com/bid/38473
http://www.microsoft.com/technet/security/advisory/981169.mspx
http://isec.pl/vulnerabilities10.html
http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top