===[ ABSTRACT ]========================================================= It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe. ===[ AFFECTED SOFTWARE ]================================================ Windows XP SP3 NOT AFFECTED: Vista, Windows 7 ===[ DESCRIPTION ]====================================================== To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed. Syntax of MsgBox function: MsgBox(prompt[,buttons][,title][,helpfile,context]) It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack. Proof-of-Concept is available here: http://isec.pl/poc-isec27/ ===[ IMPACT ]=========================================================== Score: MEDIUM The vulnerability allows remote attacker to run arbitrary code on victim machine. ===[ DISCLOSURE TIMELINE ]============================================== 01 Feb 2007 The vulnerability was discovered. 26 Feb 2010 Public disclosure ===[ AUTHOR ]=========================================================== Maurycy Prodeus | twitter.com/mprodeus