IE 0-day Using Help Files

Proof of Concept code has been posted describing how to use VBScript in a .HLP file to invoke the vulnerable winhlp32.exe application in Windows 2000, XP, & 2003. One PoC executes abitrary code, and one that just crashes WinHlp32.
(source: http://isc.sans.org/diary.html?storyid=8332)

The first POC published downloads a malicious help file, using:
“\\IP-ADDRESS\PUBLIC\test.hlp”
.hlp files can contain DLL’s and therefore should be treated as executable files. .chm files are probably equally dangerous.

The second POC crashes WinHlp32 by feeding it with a too long commandline parameter. Microsoft has compiled the XP version of WinHlp32.exe using the /GS flag which effectively guards the stack. Older versions of WinHlp32.exe are probably also vulnerable.

Microsoft provides more details here. This page also mentions the use of WebDav instead of SMB.

A user would have to be tricked into visiting a malicious page and once a misleading popup was presented, press the F1 button, invoking the help function. Arbitrary commands can then be executed. The attack works on IE 6, 7, & 8.

One work around involves disabling active scripting in Internet Explorer. A second work around is to change the permissions on winhlp32.exe.
No attacks are currently known, and Microsoft has posted an advisory.

Advertisements