Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
BID:9621
Info
Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 9621 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0474 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 09 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery of this vulnerability has been credited to Bartosz Kwitkowski <[email protected]>. |
| Vulnerable: |
Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Home SP1 Microsoft Windows XP Home |
| Not Vulnerable: | |
Discussion
Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link.
This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.
The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link.
This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.
Exploit / POC
Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
The following examples have been supplied:
hcp://services/layout/contentonly?topic=...
where ... is a correct URL
http:// for page
file:/// for run (remember use / (slash) in path e.g. c:/windows/system32/...
The following additional example vectors have been supplied:
hcp://services/layout/fullwindow?topic=
hcp://services/centers/support?topic=
Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.
The following examples have been supplied:
hcp://services/layout/contentonly?topic=...
where ... is a correct URL
http:// for page
file:/// for run (remember use / (slash) in path e.g. c:/windows/system32/...
The following additional example vectors have been supplied:
hcp://services/layout/fullwindow?topic=
hcp://services/centers/support?topic=
Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.
Solution / Fix
Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
References:
References:
- HelpCtr - allow open any page or run (Bartosz Kwitkowski
) - Re: IE ms-its: and mk:@MSITStore: vulnerability (roozbeh afrasiabi
)