F1 Button Exploit

Stephan Pringle Friday, August 24, 2012

Are you still using Windows XP? If so, be mindful of the F1 Button Exploit and how it attacks.

===[ ABSTRACT ]===============================================

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

===[ AFFECTED SOFTWARE ]======================================

Windows XP SP3

NOT AFFECTED: Vista, Windows 7

===[ DESCRIPTION ]============================================

To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.

Syntax of MsgBox function:

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Proof-of-Concept is available here:
http://isec.pl/poc-isec27/

===[ IMPACT ]=================================================

Score: MEDIUM

The vulnerability allows remote attacker to run arbitrary code on
victim machine.

===[ DISCLOSURE TIMELINE ]====================================

01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure

===[ AUTHOR ]=================================================

Maurycy Prodeus | twitter.com/mprodeus

The following two tabs change content below.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Stephan Pringle

Technology Support Specialist at Sipylus
About The Author: Stephan Pringle is an Information Technology Support Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Latest posts by Stephan Pringle (see all)

Related posts:

  1. CVE-2014-8770
  2. Bitrix
  3. Start Button
  4. Power Button
  5. Missing Re-install Now Button
  6. Flashing Power Button on a Dell PC
  7. Asus Nexus 7 Rooting Kit
  8. MusicSetup.exe
  9. Remote Desktop Entries
  10. Trusteer Endpoint Protection
  11. DualBootPRO in Windows 8
  12. Computer Management
  13. OneDrive.exe – Bad Image
  14. Locate The Recycle Bin
  15. Removing the McAfee Agent
  16. Recreate a Network Profile
  17. OneUpdater by VOMPT Limited
  18. Dell Precision 3551
  19. Your Uninstaller Pro
  20. Microsoft Exchange on an iPhone
facebook-profile-picture

Stephan Pringle

About The Author: Stephan Pringle is an Information Technology Support Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.

Related Posts