Press F1 for Help, pwned.

Vista_Help_thumb_7AEAB696

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Filed Under: Remote Exploit

Tags: , , , , , , , ,

Comments (3)

Trackback URL | Comments RSS Feed

  1. [...] original here: Press F1 for Help, pwned. Posted in Security News Tags: day-vulnerability, ecnd, help system, published-security, remote [...]

  2. [...] Press F1 for Help, pwned. [...]

  3. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

    Whiteblack