• Background
    • Awards
    • Biography
    • Resume
  • Blog
    • Articles
    • Cookie Policy
    • Galleries
      • Photo Gallery
      • Video Gallery
    • Glossary
  • Contact
    • Contact
    • Social Networks
  • IT
    • Downloads
      • Windows
    • Equipment
    • Hardware
    • Software
    • Testimonial
    • Information Technology
  • Projects
    • Business Projects
    • HackBook Projects
    • Hackintosh Projects
    • Website Projects
    • More Projects
  • Service Rates
    • Business Rates
    • Residential Rates

F1 Button Exploit

Friday, August 24, 2012 Articles, Tips Comments Off on F1 Button Exploit

Are you still using Windows XP? If so, be mindful of the F1 Button Exploit and how it attacks.

===[ ABSTRACT ]===============================================

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

===[ AFFECTED SOFTWARE ]======================================

Windows XP SP3

NOT AFFECTED: Vista, Windows 7

===[ DESCRIPTION ]============================================

To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.

Syntax of MsgBox function:

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Proof-of-Concept is available here:
http://isec.pl/poc-isec27/

===[ IMPACT ]=================================================

Score: MEDIUM

The vulnerability allows remote attacker to run arbitrary code on
victim machine.

===[ DISCLOSURE TIMELINE ]====================================

01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure

===[ AUTHOR ]=================================================

Maurycy Prodeus | twitter.com/mprodeus

The following two tabs change content below.
  • Bio
  • Latest Posts
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Pinterest profileMy YouTube channel

Stephan Pringle

Chief Executive Officer at Sipylus
About The Author: Stephan Pringle is an Information Technology Specialist. He covers hardware and software and provides tips for you to troubleshoot and repair issues on your own. In his spare time, he writes articles about the State of New York on his Hackintosh and HackBook and that has helped him to become the top contributor of the New York City section of Yahoo! Answers.
facebook-profile-picture
My Twitter profileMy Facebook profileMy LinkedIn profileMy Pinterest profileMy YouTube channel

Latest posts by Stephan Pringle (see all)

  • Wall of Text Before Clover - Saturday, September 12, 2020

Related posts:

  1. CVE-2014-8770
  2. Bitrix
  3. Say Farewell to Orkut
  4. Network Printer on Windows XP
  5. Power Button
  6. Start Button
  7. Missing Re-install Now Button
  8. Change a Network Password on Windows
  9. Nexus 7 Battery Icon
  10. Microsoft Exchange on an iPhone
  11. Locking the Computer
  12. RSA WebCRD
  13. Reinstall Windows Media Player
  14. PC Entering Safe Mode on Boot
  15. Remote Device Wipe Confirmation
  16. Enable Games in Windows 7
  17. Ports
  18. Devices and Printers
  19. Locate The Recycle Bin
  20. Corrupted Segoe UI Symbol Font

Comments are closed.




Copyright © 1990-2020 Stephan Pringle. All rights reserved.

Stephan Pringle

IT Technical Support Specialist

  • Keyword Search

  • Translator

  • Topic Sponsor

  • Social Networks

    twitterfacebookgooglepluspinterestlinkedinxingmyspacebloggertumblrtypepadwordpressgowallaflickrsoundcloudspotifylastfmyoutubevimeodeviantartdribbbledeliciousdiggredditstumbleuponrssemailfriendfeedskype
By continuing to use this site, you are consenting to our use of cookies and terms. Learn more