Remote code execution with parameters without user interaction, even with XP SP2

ShredderSub7 SecExpert wrote:

“——————Which systems are vulnerable?——–
Any system running any Microsoft Windows XP edition with Internet Explorer 6 or higher, even with SP2 applied.
Any system running any Microsoft Windows Server 2003 edition with Internet Explorer 6 or higher.

——————How does this exploit work?———–
The problem with Internet Explorer is that it doesn’t set any restrictions on web pages that request opening a Windows Help file, compiled with HTML Help.

Without a restriction, we can (in Internet Explorer) easily command to open any local web page stored on a victim’s computer, including web pages that are founded in Windows Help files (with extension .CHM).

Proof of concept was provided.

More info in http://securityfocus.com/archive/1/385573/2004-12-26/2005-01-01/0

Leave a Reply