Microsoft Windows URI protocol handling command execution
| multiple-uri-command-execution (35582) |  High Risk |
Description:
A vulnerability in the Microsoft Windows protocol handler on Windows XP and Windows 2000 systems with Internet Explorer 7 installed could allow a remote attacker to execute arbitrary commands on the system. This vulnerability is caused by improper handling of certain Uniform Resource Identifiers (URIs), including the mailto, nntp, news, snews, and telnet protocol handlers. By persuading a victim to visit a specially-crafted Web page that calls one of the vulnerable protocol handlers, a remote attacker could exploit this vulnerability to inject and execute arbitrary shell commands on the system.
Note: This vulnerability has multiple attack vectors that are exploitable via multiple 3rd party applications. These applications include Mozilla Firefox, Adobe Reader, Adobe Acrobat, Microsoft Outlook, Skype, and possibly other applications. See References for more information.
*CVSS:
| Base Score: | 8 |
| Access Vector: | Remote |
| Access Complexity: | High |
| Authentication: | Not Required |
| Confidentiality Impact: | Complete |
| Integrity Impact: | Complete |
| Availability Impact: | Complete |
| Temporal Score: | 6.6 |
| Exploitability: | Functional |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-061. See References.
References:
- Billy (BK) Rios Blog, Tuesday, July 24th, 2007: Remote Command Execution in FireFox et al.
- BugTraq Mailing List, 2007-10-03 16:06:29: 0day: mIRC pwns Windows.
- Full-Disclosure Mailing List, Tue Jul 24 2007 - 19:02:10 CDT: More URI Handling Vulnerabilites (FireFox Remote Command Execution).
- Heise Security News, Report of 05.10.2007 14:45: URI problem also affects Acrobat Reader and Netscape.
- HPSBST02291 SSRT071498: Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062.
- IBM Internet Security Systems Protection Alert, Oct. 15, 2007: Multiple vendor products URI handling command execution.
- IBM Internet Security Systems X-Force Database: Mozilla Firefox URI NULL byte filtering command execution.
- IBM Internet Security Systems X-Force Database: Adobe Acrobat and Reader mailto: PDF code execution.
- IBM Internet Security Systems X-Force Database: Multiple Mozilla products URI double-quote and space filtering command execution.
- IBM Internet Security Systems X-Force Database: Netscape Navigator URI NULL byte filtering command execution.
- IBM Internet Security Systems X-Force Database: Mozilla Firefox mailto: URI handling command execution.
- IBM Internet Security Systems X-Force Database: Mozilla URI handling command execution.
- IBM Internet Security Systems X-Force Database: Microsoft Outlook and Outlook Express URI handling command execution.
- IBM Internet Security Systems X-Force Database: Multiple Mozilla products URI percent filtering command execution.
- Microsoft Security Advisory (943521): URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution.
- Microsoft Security Bulletin MS07-061: Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460).
- Nortel Web site: Nortel Response to Microsoft Security Bulletin MS07-061 .
- SKYPE-SB/2007-001: Improper handling of URI arguments.
- ZDNet Blog October 10th, 2007: MS Outlook flaw adds new twist to URI handling saga.
- ASA-2007-471: MS07-061 Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
- BID-25945: Microsoft Windows URI Handler Command Execution Vulnerability
- CVE-2007-3896: The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid % sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications. NOTE: this issue might be related to other issues involving URL handlers in Windows systems, such as CVE-2007-3845. There also might be separate but closely related issues in the applications that are invoked by the handlers.
- SA26201: Microsoft Windows URI Handling Command Execution Vulnerability
- SECTRACK ID: 1018822: Adobe Acrobat URI Handling Bug Lets Remote Users Execute Arbitrary Code
- SECTRACK ID: 1018831: Microsoft Windows ShellExecute() URI Handler Bug Lets Remote Users Execute Arbitrary Commands
- US-CERT VU#403150: Microsoft Windows URI protocol handling vulnerability
Platforms Affected:
- HP Storage Management Appliance 2.1
- Microsoft Internet Explorer 7.0
- Microsoft Windows 2003 Server SP1
- Microsoft Windows 2003 Server x64
- Microsoft Windows 2003 Server SP1 Itanium
- Microsoft Windows Server 2003 SP2
- Microsoft Windows Server 2003 SP2 Itanium
- Microsoft Windows Server 2003 SP2 x64
- Microsoft Windows XP SP2 x64 Professional
- Microsoft Windows XP x64 Professional
- Microsoft Windows XP SP2
Reported:
Jul 24, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.