Posts Tagged ‘ie rce’

IE v.6,7,8 RCE && stack overflow in winhlp32 process (Windows XP SP3)

Thursday, February 25th, 2010

Introduction:
This vulnerability regards to invoke winhlp32.exe,the Microsoft Windows Help File viewer, from Internet Explorer 6,7,8 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.
Additionally, there is a stack overflow vulnerability in winhlp32.exe.

Proof of Concept:
To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed.

1

MsgBox(prompt[,buttons][,title][,helpfile,context])

It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile parameter is too long. However, on XP winhlp32.exe is compiled with
/GS flag, which in this case effectively guard the stack.

Example of this exploiting.

Affected Systems:
Windows XP with Service Pack 3

Not Affected Systems:
Vista, Windows 7

Impact:
Value: MEDIUM
The vulnerability allows remote attacker to run arbitrary code on victim machine.

Related sources:
Isec Security Research

Tags: , , , , , , , , , , , ,
Posted in Articles, Exploits, Hacking, Infosecurity, PoC | Comments Off

Microsoft shocked : Local Kernel Privilege Escalation (0-day, 17y.old) + IE fixs.

Saturday, January 23rd, 2010

Microsoft shocked : Local Privilege Escalation in Windows Kernel.

Do you remember Google vs China? Remember bugs that have allowed Chinese hackers to enter into Gmail accounts and access to confidential information?

Microsoft has confirmed a privilege-escalation vulnerability in the Windows kernel, one day after a Google engineer posted details of the flaw to the Full Disclosure mailing list.

Systems Affected :
All supported versions of 32-bit Windows, while 64-bit versions, which includes Windows Servers 2008 R2, are not impacted.

Details :
Vulnerability is difficult to exploit, the risk for users is low, and the software giant is not aware of any public attacks exploiting the flaw.
To exploit this vulnerability, an attacker must already have a local access to the system, then elevate their privileges to the administrative level and run programs of their choice on the system.

Advisory + sploit : (external link)
KiTrap0D

Internet Explorer – Remote Code Execution Vulnerability
Microsoft is issuing on January 21 an out-of-band fix for the Internet Explorer security breach that affected Google and other companies in China.

Tags: , , , , , ,
Posted in Articles, Hacking, Infosecurity, News | 1 Comment »