F1 Button Exploit

Stephan Pringle Friday, August 24, 2012

Are you still using Windows XP? If so, be mindful of the F1 Button Exploit and how it attacks.

===[ ABSTRACT ]===============================================

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

===[ AFFECTED SOFTWARE ]======================================

Windows XP SP3

NOT AFFECTED: Vista, Windows 7

===[ DESCRIPTION ]============================================

To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.

Syntax of MsgBox function:

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Proof-of-Concept is available here:
http://isec.pl/poc-isec27/

===[ IMPACT ]=================================================

Score: MEDIUM

The vulnerability allows remote attacker to run arbitrary code on
victim machine.

===[ DISCLOSURE TIMELINE ]====================================

01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure

===[ AUTHOR ]=================================================

Maurycy Prodeus | twitter.com/mprodeus

The following two tabs change content below.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Stephan Pringle

Technology Support Specialist at Sipylus
About The Author: Stephan Pringle is an Information Technology Support Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Latest posts by Stephan Pringle (see all)

Related posts:

Default ThumbnailBusiness Projects Default ThumbnailAssociate Technical Support Specialist Default ThumbnailRemote Server Administration Tools Default ThumbnailCVE-2014-8770 Default ThumbnailRemote Desktop Entries Default ThumbnailWebsite Projects Default ThumbnailApache Vulnerability in 2.2 & 2.4 Default ThumbnailEpson Perfection 1640SU on Windows 7 Default ThumbnailSay Farewell to Orkut Default ThumbnailAdministrator Command Prompt Default ThumbnailFixing Kronos Default ThumbnailRemote Device Wipe Confirmation Default ThumbnailVirtuozzo Containers for Linux 4.7 Default ThumbnailThe New Microsoft Edge is Here Default ThumbnailThe New Microsoft Edge is Old Default ThumbnailDetermine the Bit Version Default ThumbnailMinimum Memory for Computing Default ThumbnailBitrix Default ThumbnailVersions of Windows 7 Default ThumbnailCompatibility Mode
facebook-profile-picture

Stephan Pringle

About The Author: Stephan Pringle is an Information Technology Support Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.

Related Posts