CVE-2002-0823
published 2002-08-12CVE-2002-0823: Buffer overflow in Winhlp32.exe allows remote attackers to execute arbitrary code via an HTML document that calls the HTML Help ActiveX control (HHCtrl.ocx)…
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
44.40%
98.6th percentile
Buffer overflow in Winhlp32.exe allows remote attackers to execute arbitrary code via an HTML document that calls the HTML Help ActiveX control (HHCtrl.ocx) with a long pathname in the Item parameter.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTML documents or email invoking the HTML Help ActiveX control (HHCtrl.ocx) with an abnormally long string in the Item parameter of a WinHlp command, which is the trigger for the buffer overflow. ↗
- →Detect use of the winhelp.HHClick() method in HTML content, as this is the ActiveX invocation vector used to trigger the vulnerability. ↗
- →Alert on unexpected outbound/back-channel network connections originating from Winhlp32.exe, especially on systems running Tiny Personal Firewall 3.0 where the process is trusted by default and such connections would not be blocked. ↗
- →Inspect HTML email and web pages for embedded ActiveX object tags referencing HHCtrl.ocx with a long pathname argument, as this is the delivery mechanism for both browser and email-based exploitation. ↗
- ·Tiny Personal Firewall 3.0 (but NOT 2.0) treats Winhlp32.exe / HTML Help as a trusted application by default, meaning post-exploitation back-channel connections will bypass its outbound firewall rules silently. ↗
- ·The HTML Help ActiveX control can also be leveraged for denial-of-service attacks and additional stack- and heap-based overflows beyond the primary Item parameter overflow, broadening the attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=102822806329440&w=2http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3Bq293338http://www.iss.net/security_center/static/9746.phphttp://www.osvdb.org/2991http://www.securityfocus.com/bid/4857http://marc.info/?l=bugtraq&m=102822806329440&w=2http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3Bq293338http://www.iss.net/security_center/static/9746.phphttp://www.osvdb.org/2991http://www.securityfocus.com/bid/4857
2002-08-12
Published