Microsoft Windows URI Handler Command Execution Vulnerability
BID:25945
Info
Microsoft Windows URI Handler Command Execution Vulnerability
| Bugtraq ID: | 25945 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3896 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 05 2007 12:00AM |
| Updated: | Nov 22 2007 01:44PM |
| Credit: | Billy Rios is credited with the discovery of this issue. |
| Vulnerable: |
Nortel Networks Centrex IP Client Manager 8.0 Nortel Networks Centrex IP Client Manager 7.0 Nortel Networks Centrex IP Client Manager 2.5 Nortel Networks Centrex IP Client Manager 9.0 Nortel Networks Centrex IP Client Manager Microsoft Internet Explorer 7.0 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server MM 1.1 Avaya Messaging Application Server 0 Avaya CIE 1.0 |
| Not Vulnerable: | |
Discussion
Microsoft Windows URI Handler Command Execution Vulnerability
Microsoft Windows XP and Server 2003 with Internet Explorer 7 is prone to a command-execution vulnerability because it fails to properly sanitize input.
Successfully exploiting this issue allows remote attackers to execute arbitrary commands in the context of users that follow malicious URIs.
Known attack vectors include following URIs in these applications:
- Mozilla Firefox in versions prior to 2.0.0.6
- Skype in versions prior to 3.5.0.239
- Adobe Acrobat Reader 8.1
- Miranda 0.7
- Netscape 7.1
- mIRC.
NOTE: Attackers can exploit the issue in BID 25543 (Mozilla Firefox 2.0.0.6 Unspecified Protocol Handling Command Injection Vulnerability) as an attack vector for this issue.
Microsoft Windows XP and Server 2003 with Internet Explorer 7 is prone to a command-execution vulnerability because it fails to properly sanitize input.
Successfully exploiting this issue allows remote attackers to execute arbitrary commands in the context of users that follow malicious URIs.
Known attack vectors include following URIs in these applications:
- Mozilla Firefox in versions prior to 2.0.0.6
- Skype in versions prior to 3.5.0.239
- Adobe Acrobat Reader 8.1
- Miranda 0.7
- Netscape 7.1
- mIRC.
NOTE: Attackers can exploit the issue in BID 25543 (Mozilla Firefox 2.0.0.6 Unspecified Protocol Handling Command Injection Vulnerability) as an attack vector for this issue.
Exploit / POC
Microsoft Windows URI Handler Command Execution Vulnerability
UPDATE (October 25, 2007): Microsoft states in an updated version of security advisory 943521 that the vendor is aware of attacks that try to exploit this issue.
The following proof-of-concept URI demonstrates this vulnerability:
http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
mailto:test% ../../../../windows/system32/calc.exe".cmd
The following proof-of-concept PDF file is available:
UPDATE (October 25, 2007): Microsoft states in an updated version of security advisory 943521 that the vendor is aware of attacks that try to exploit this issue.
The following proof-of-concept URI demonstrates this vulnerability:
http:%xx../../../../../../../../../../../windows/system32/calc.exe".bat
mailto:test% ../../../../windows/system32/calc.exe".cmd
The following proof-of-concept PDF file is available:
Solution / Fix
Microsoft Windows URI Handler Command Execution Vulnerability
Solution:
Microsoft released an advisory and updates to address this issue. Please see the references for more information.
NOTE: Certain applications that can be used as exploit vectors have been updated to securely handle URIs containing '%' characters. Please see the references for more information.
Solution:
Microsoft released an advisory and updates to address this issue. Please see the references for more information.
NOTE: Certain applications that can be used as exploit vectors have been updated to securely handle URIs containing '%' characters. Please see the references for more information.
References
Microsoft Windows URI Handler Command Execution Vulnerability
References:
References:
- Bug 389580 �?? some schemes with %00 launch unexpected handlers on windows (Mozilla)
- Internet Explorer Homepage (Microsoft)
- Microsoft Windows Homepage (Microsoft )
- ShellExecuteFiasco �?? third-party patch for CVE-2007-3896 (KJK::Hyperion)
- Skype also affected by supposed "Firefox vulnerability" (Heise Security)
- URI problem also affects Acrobat Reader and Netscape (Heise Security)
- Re[2]: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype (Thierry Zoller
- URI handling woes in Acrobat Reader, Netscape, Miranda, Skype (Juergen Schmidt
- 2007008457, Rev 1 Nortel Response to Microsoft Security Bulletin MS07-061 (Nortel Networks)
- ASA-2007-471 - MS07-061 Vulnerability in Windows URI Handling Could Allow Remote (Avaya)
- Microsoft Security Advisory (943521) URL Handling Vulnerability in Windows XP an (Microsoft)
- Microsoft Security Bulletin MS07-061 (Microsoft)
- Microsoft Security Bulletin MS07-061 Version 1.1 (Microsoft)
- Technical Cyber Security Alert TA07-317A: Microsoft Updates for Multiple Vulnera (US-CERT)
- Vulnerability Note VU#403150 (US-CERT)