Recently, there have been lots of blog posts and articles about the discovery of a bug relating to F1 key. So, what is the nature of this issue?
From our research, there are two, not just one, such holes. Both holes relate to Windows’ help files processing mechanism but are different in their essence.
One hole arises from the parameter transmission mechanism of MsgBox() function in VBScript. Help file (.hlp), transmitted as this function’s forth parameter, will be opened with Windows Help (winhlp32.exe) if users press F1 button on MessageBox window. The other hole involves the execution of Windows Html Help (.chm)
VBScript’s vulnerability in Windows Help (winhlp32.exe)
On Windows versions prior to Vista, winhlp32.exe is the program supporting .hlp help files display (winhlp32.exe is not a built-in program on Windows Vista and later Windows versions).
A .hlp file is a compilation of Help Project File (.hpj) and text files (.rtf - Rich Text Format), and sometimes other data files. Among which, .hpj file is in charge of linking data and defining the structure of the help file to be generated.
EF Macro (ExecFile) in [CONFIG] field of project file (.hpj) makes Windows Help program, when running corresponding help file, open other files in accordance with this macro’s parameter. Theoretically, this assists help files to track and run supplementary files. However, because the program does not check the format of the input file to EF Macro before inserting it to the call for API ShellExecute() function, winhlp32.3xe might run any executable files via ShellExecute () instead of opening just another .hlp one. This means the running of a .hlp file might always cause Windows Helps to execute arbitrary commands.
Example of a .hpj file’s summoning executable file calc.exe
This feature, together with characteristic of MsgBox() function in VBScript, allows bad guys to remotely attack a computer. Specifically, on a website, hackers will insert a VBScript code containing call for MsgBox() function, of which the first parameter is a message enticing users to press F1, and the forth parameter points to the help file prepared for the exploitation. Then, if users open that website with Internet Explorer (IE) and press F1 after seeing the message box, Windows Help will be utilized to open the help file (.hlp) sent through MsgBox function. It means the malicious code will be executed.
Vulnerability in .chm processing module
While .hlp help files are run by winhlp32.exe, Microsoft Windows Html Help (.chm) is processed by hh.exe.
The content of file script.vbs running calc.exe
So, a .chm file also hides a potential threat to users’ computers. To remotely exploit this hole, hackers will take advantage of a .chm supporting program, for example notepad.exe and then trick users in pressing F1 when opening .txt file in the same folder with the prepared .chm file. When this help file runs, the hidden malicious code will be executed.
Microsoft has not released patches for these two holes yet. Hence, to ensure the security for computers, users should avoid pressing F1 when seeing request from a certain website or a document. At the same time, pay attention to update patches when they are issued.
Author: Le Manh Tung