It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe. To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3
NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/

lets see if MS fix this before next patch Tuesday

Hi Dwarden,

This has been along for quite some time, a similar issue 5 years ago: http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-08/0037.html
Comes down to this - continuing use of an insecure format.
Issues are only dealt with by MS whenever it can no longer be ignored/obscured,
because nobody should open an untrusted .HLP file.

An HLP file is the most similar to an executable but not being one,
mainly due to its powerful scripting language.

One of the documented macros documented and supported by this format is
“RegisterRoutine”. Using this macro we can reference any Export of any Dll.

Example:

[CONFIG]
RegisterRoutine(“Kernel32.dll”, “Beep”, “UU”)

so the function can be used as a Macro within the WinHelp project

{\uldb Do Beep}{\v !Beep(750, 5000)}

The user won´t see any warning previously the execution of this macro.

I wonder why Microsoft and a lot of vendors are still using this
old-and-dangerous format for providing documentation,

Well also consider this news, hear the pangs:
http://www.theregister.co.uk/2010/02/26/microsoft_vista_xp_2000/

Makes you wonder about the why’s, doesn’t it?
That is why they have fixed it only for W7 and beyond:
http://windows7news.com/2009/10/15/microsoft-releases-winhlp32-exe-for-windows-7/
also interesting read:
http://www.icranium.com/blog/?p=1036

polonus