Executive Summary
Summary | |
---|---|
Title | Microsoft Windows Help and Support Center URI processing vulnerability |
Informations | |||
---|---|---|---|
Name | VU#578319 | First vendor Publication | 2010-06-10 |
Vendor | VU-CERT | Last vendor Modification | 2010-07-13 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#578319Microsoft Windows Help and Support Center URI processing vulnerabilityOverviewThe Microsoft Windows Help and Support Center application fails to properly sanitize hcp:// URIs, which can allow a remote, unauthenticated attacker to execute arbitrary commands.I. DescriptionMicrosoft Windows Help and Support Center is the default handler for the hcp protocol on Windows XP and 2003 systems. When an hcp:// URI is encountered, Windows will launch the Help and Support Center application, which is provided by helpctr.exe. When helpctr.exe is invoked from an hcp:// URI, it operates in a more restricted mode by using the -FromHCP command-line parameter. This is supposed to restrict the Help and Support Center to a whitelisted set of help documents and parameters.The UrlUnescape function that is used by helpctr.exe contains an error that allows an attacker to bypass the whitelist restrictions provided by the -FromHCP option. By leveraging an XSS vulnerability in an existing Help and Support Center document, an attacker can inject arbitrary script commands into a Help and Support Center session. Because the Help and Support Center documents are located in a trusted zone, this can allow arbitrary Windows commands to be executed. This issue is addressed in Microsoft Security Bulletin MS10-042.
Referenceshttp://www.us-cert.gov/reading_room/securing_browser/ This vulnerability was discovered and publicly reported by Tavis Ormandy. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/578319 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
50 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11733 | |||
Oval ID: | oval:org.mitre.oval:def:11733 | ||
Title: | Help Center URL Validation Vulnerability | ||
Description: | The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-1885 | Version: | 3 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 2 | |
Os | 1 | |
Os | 3 |
SAINT Exploits
Description | Link |
---|---|
Windows Help and Support Center -FromHCP URL whitelist bypass | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2010-07-14 | Name : Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593) File : nvt/secpod_ms10-042.nasl |
2010-06-11 | Name : MS Windows Help and Support Center Remote Code Execution Vulnerability File : nvt/gb_ms_windows_help_n_support_center_code_exec_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
65529 | Microsoft Windows Help and Support Center sysinfo/sysinfomain.htm svr Paramet... Microsoft Windows Help and Support Center contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'svr' parameter upon submission to the sysinfo/sysinfomain.htm page. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
65264 | Microsoft Windows hcp:// Protocol Handler MPC::HexToNum() Function String Mis... Microsoft Windows contains a flaw related to the 'MPC::HexToNum()' function in 'helpctr.exe' failing to properly handle escape sequences. This may allow a remote attacker to bypass the trusted documents whitelist and execute arbitrary commands via a crafted hcp:// URL directed to the sysinfomain.htm help document. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2010-07-15 | IAVM : 2010-A-0095 - Microsoft Help and Support Center Remote Code Execution Vulnerability Severity : Category II - VMSKEY : V0024848 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Multiple exploit kit Payload detection - readme.dll RuleID : 27898 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - calc.dll RuleID : 27897 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - contacts.dll RuleID : 27896 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - info.dll RuleID : 27895 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - about.dll RuleID : 27894 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | iFramer toolkit injected iframe detected - specific structure RuleID : 27271 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page retrieval RuleID : 27072 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page retrieval RuleID : 27071 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - info.dll RuleID : 26508 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit jar file downloaded RuleID : 26434 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Nuclear exploit kit landing page RuleID : 26343 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Nuclear exploit kit landing page - specific structure RuleID : 26342 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Nuclear exploit kit landing page RuleID : 26341 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page retrieval - ff.php RuleID : 26339 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | IFRAMEr injection detection - leads to exploit kit RuleID : 26338 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page - specific structure RuleID : 26337 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page retrieval RuleID : 26227 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit 32-alpha jar request RuleID : 25798 - Revision : 10 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit redirection successful RuleID : 25611 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page RuleID : 25569 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page retrieval RuleID : 25568 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple Exploit Kit Payload detection - setup.exe RuleID : 25526 - Revision : 2 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit redirection successful RuleID : 25388 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - readme.exe RuleID : 25387 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - about.exe RuleID : 25386 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - calc.exe RuleID : 25385 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - contacts.exe RuleID : 25384 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit Payload detection - info.exe RuleID : 25383 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Multiple exploit kit malicious jar file dropped RuleID : 25382 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit url structure detected RuleID : 25043 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit redirection successful RuleID : 24638 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit redirection page - specific structure RuleID : 24637 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit redirection page - specific structure RuleID : 24636 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page download attempt RuleID : 24608 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page received - specific structure RuleID : 24593 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page download attempt RuleID : 24548 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page download attempt RuleID : 24547 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page download attempt RuleID : 24546 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole admin page outbound access attempt RuleID : 24544 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole admin page inbound access attempt RuleID : 24543 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit fallback executable download RuleID : 24501 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole - Cookie Set RuleID : 24475 - Revision : 3 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page Received RuleID : 24228 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 - URI Structure RuleID : 24227 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackholev2 exploit kit landing page received RuleID : 24226 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole possible email Landing to 8 chr folder RuleID : 24171 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure RuleID : 24054 - Revision : 10 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure RuleID : 24053 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - fewbgazr catch RuleID : 23962 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - hwehes RuleID : 23850 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole redirection attempt RuleID : 23849 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole redirection attempt RuleID : 23848 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole redirection page RuleID : 23797 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - Math.round catch RuleID : 23786 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - Math.floor catch RuleID : 23785 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page RuleID : 23781 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page request - tkr RuleID : 23622 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch ... RuleID : 23619 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page download attempt RuleID : 23159 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch RuleID : 23158 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Nuclear Pack exploit kit binary download RuleID : 23157 - Revision : 10 - Type : EXPLOIT-KIT |
2014-01-10 | Nuclear Pack exploit kit landing page RuleID : 23156 - Revision : 11 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole redirection attempt RuleID : 22949 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole Exploit Kit javascript service method RuleID : 22088 - Revision : 12 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole landing redirection page RuleID : 22041 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole suspected landing page RuleID : 22040 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole suspected landing page RuleID : 22039 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit landing page with specific structure - Loading RuleID : 21876 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Possible exploit kit post compromise activity - taskkill RuleID : 21875 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Possible exploit kit post compromise activity - StrReverse RuleID : 21874 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - catch RuleID : 21661 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page Requested - /Index/index.php RuleID : 21660 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page Requested - /Home/index.php RuleID : 21659 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page RuleID : 21658 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page - specific structure RuleID : 21657 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch RuleID : 21646-community - Revision : 16 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch RuleID : 21646 - Revision : 16 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - BBB RuleID : 21581 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific header RuleID : 21549 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific header RuleID : 21539 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch RuleID : 21492-community - Revision : 22 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page with specific structure - prototype catch RuleID : 21492 - Revision : 22 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit JavaScript carat string splitting with hostile applet RuleID : 21438-community - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit JavaScript carat string splitting with hostile applet RuleID : 21438 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit URL - search.php?page= RuleID : 21348 - Revision : 8 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit URL - .php?page= RuleID : 21347 - Revision : 12 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit malicious jar download RuleID : 21346 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit malicious jar request RuleID : 21345 - Revision : 9 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit pdf download RuleID : 21344 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit pdf request RuleID : 21343 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit response RuleID : 21259 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit control panel access RuleID : 21141 - Revision : 7 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit post-exploit page request RuleID : 21071 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit pdf exploit page request RuleID : 21070 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit exploit fetch request RuleID : 21069 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit landing page RuleID : 21068 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page RuleID : 21045 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit landing page RuleID : 21044 - Revision : 6 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit post-compromise download attempt - .php?e= RuleID : 21043 - Revision : 10 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit post-compromise download attempt - .php?f= RuleID : 21042 - Revision : 11 - Type : EXPLOIT-KIT |
2014-01-10 | Blackhole exploit kit URL - main.php?page= RuleID : 21041 - Revision : 12 - Type : EXPLOIT-KIT |
2014-01-10 | Microsoft Windows Help Centre escape sequence XSS attempt RuleID : 16665 - Revision : 13 - Type : OS-WINDOWS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-07-13 | Name : It is possible to execute arbitrary code on the remote Windows host through t... File : smb_nt_ms10-042.nasl - Type : ACT_GATHER_INFO |
2010-06-18 | Name : It may be possible to execute arbitrary code on the remote host using Windows... File : smb_kb_2219475.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-04-10 13:28:16 |
|
2014-02-17 12:07:59 |
|
2013-05-11 00:57:13 |
|