Are you still using Windows XP? If so, be mindful of the F1 Button Exploit and how it attacks.
===[ ABSTRACT ]===============================================
It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.
===[ AFFECTED SOFTWARE ]======================================
Windows XP SP3
NOT AFFECTED: Vista, Windows 7
===[ DESCRIPTION ]============================================
To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.
Syntax of MsgBox function:
It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.
Proof-of-Concept is available here:
===[ IMPACT ]=================================================
The vulnerability allows remote attacker to run arbitrary code on
===[ DISCLOSURE TIMELINE ]====================================
01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure
===[ AUTHOR ]=================================================
Maurycy Prodeus | twitter.com/mprodeus
Latest posts by Stephan Pringle (see all)
- HP Color LaserJet Pro MFP M477fdw - Friday, April 14, 2023