IE 0-day using .hlp files

Published: 2010-03-01
Last Updated: 2010-03-02 15:15:39 UTC
by Mark Hofman (Version: 2)
3 comment(s)

A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8. 

A work around is to disable active scripting in Internet Explorer.  A second work around is to change the permission on winhlp32.exe  as shown in the advisory.

Microsoft has posted an advisory  here  www.microsoft.com/technet/security/advisory/981169.mspx

Whilst we haven't seen any attacks based on this just yet, if you do please let us know. 

Mark 

(Thanks David & Pholder)

 

3 comment(s)

Comments

Maurycy Prodeus has published 2 POCs, one that executes abitrary code, and one that just crashes WinHlp32.

The first POC published, remote code exec (literally), downloads a malicious help file, using:
\\<external-ip-address>\PUBLIC\test.hlp
(see http://www.h-online.com/security/news/item/Zero-day-exploit-for-Internet-Explorer-943603.html).

Best practice is to not only block ingress-, but also egress CIFS/SMB connections at your perimeter (ports 135-139 and 445 both tcp and udp). This is a good idea anyway, because for example Word documents may reference templates using an UNC path.

Note that this may not prevent all attacks; an intranet file could be referenced. A malicious file could be planted on any device on your lan which happens to be in control by an attacker, but also legitimate files on your LAN (or even the local PC) may provide attack vectors.

Futher note that *any* Windows version that has WinHlp32.exe installed is probably vulnerable to this type of attack.

The POC author, Maurycy Prodeus, mentions (in http://lists.grok.org.uk/pipermail/full-disclosure/2010-February/073320.html) that .hlp files can contain DLL's and therefore should be treated as executable files.

However, as an anonymous commentor points out (in http://www.security.nl/artikel/32578/1/Weer_nieuw_beveiligingslek_in_Internet_Explorer.html in Dutch), .chm files are probably equally dangerous. I don't know if this attack also affects HTML help.

Furthermore, the second POC supposedly crashes WinHlp32 by feeding it with a too long commandline parameter (no CIFS/SMB file-I/O is necessary). According to Maurycy Prodeus, Microsoft has compiled the XP version of WinHlp32.exe using the /GS flag which effectively guards the stack. It is likely that older versions of WinHlp32.exe are vulnerable.
Note: in my post above the UNC path to <external-ip-address> obviously should begin with 2 backslashes, but one of them was removed while posting my comment.
Microsoft provides more details here: http://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspx
This page also mentions the use of WebDav instead of SMB.

(source: http://secunia.com/advisories/38727)

Diary Archives