• Background
    • Awards
    • Biography
    • Resume
  • Blog
    • Technical Support Blog
    • Cookie Policy
    • Galleries
      • Photo Gallery
      • Video Gallery
    • Glossary
  • Contact
    • Contact
    • Social Networks
  • IT
    • Downloads
      • Windows
    • Equipment
    • Hardware
    • Software
    • Testimonial
    • Information Technology
  • Projects
    • Business Projects
    • PC Projects
      • Hackintosh Laptop Projects
      • Hackintosh Desktop Projects
    • Website Projects
    • More Projects
  • Service Rates
    • Business Rates
    • Residential Rates

F1 Button Exploit

Friday, August 24, 2012 Articles, Tips Comments Off on F1 Button Exploit

Are you still using Windows XP? If so, be mindful of the F1 Button Exploit and how it attacks.

===[ ABSTRACT ]===============================================

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

===[ AFFECTED SOFTWARE ]======================================

Windows XP SP3

NOT AFFECTED: Vista, Windows 7

===[ DESCRIPTION ]============================================

To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.

Syntax of MsgBox function:

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Proof-of-Concept is available here:
http://isec.pl/poc-isec27/

===[ IMPACT ]=================================================

Score: MEDIUM

The vulnerability allows remote attacker to run arbitrary code on
victim machine.

===[ DISCLOSURE TIMELINE ]====================================

01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure

===[ AUTHOR ]=================================================

Maurycy Prodeus | twitter.com/mprodeus

The following two tabs change content below.
  • Bio
  • Latest Posts
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Stephan Pringle

Technology Support Specialist at Sipylus
About The Author: Stephan Pringle is an Information Technology Support Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Instagram profileMy Pinterest profileMy YouTube channel

Latest posts by Stephan Pringle (see all)

  • HP Color LaserJet Pro MFP M477fdw - Friday, April 14, 2023

Related posts:

  1. CVE-2014-8770
  2. Bitrix
  3. Say Farewell to Orkut
  4. Network Printer on Windows XP
  5. Start Button
  6. Power Button
  7. Missing Re-install Now Button
  8. Change a Network Password on Windows
  9. Nexus 7 Battery Icon
  10. Microsoft Exchange on an iPhone
  11. Locking the Computer
  12. Enable Games in Windows 7
  13. Remote Device Wipe Confirmation
  14. PC Entering Safe Mode on Boot
  15. Reinstall Windows Media Player
  16. RSA WebCRD
  17. Locate The Recycle Bin
  18. Ports
  19. Devices and Printers
  20. Corrupted Segoe UI Symbol Font

Comments are closed.




Copyright © 1990-2023 Stephan Pringle. All rights reserved.

The information contained on this website is for your personal use only.
It may not be reproduced in whole or in part, by any means, for dissemination without our written permission.

Stephan Pringle

Technical Support Specialist

  • Keyword Search

  • Topic Sponsor