Microsoft Windows URI protocol handling command execution

multiple-uri-command-execution (35582)

High Risk

Description:

A vulnerability in the Microsoft Windows protocol handler on Windows XP and Windows 2000 systems with Internet Explorer 7 installed could allow a remote attacker to execute arbitrary commands on the system. This vulnerability is caused by improper handling of certain Uniform Resource Identifiers (URIs), including the mailto, nntp, news, snews, and telnet protocol handlers. By persuading a victim to visit a specially-crafted Web page that calls one of the vulnerable protocol handlers, a remote attacker could exploit this vulnerability to inject and execute arbitrary shell commands on the system.

Note: This vulnerability has multiple attack vectors that are exploitable via multiple 3rd party applications. These applications include Mozilla Firefox, Adobe Reader, Adobe Acrobat, Microsoft Outlook, Skype, and possibly other applications. See References for more information.

Platforms Affected:

• HP, Storage Management Appliance 2.1
• Microsoft, Internet Explorer 7
• Microsoft, Windows 2003 Server SP1
• Microsoft, Windows 2003 Server SP2
• Microsoft, Windows 2003 Server SP2 x64
• Microsoft, Windows 2003 Server SP2 Itanium
• Microsoft, Windows 2003 Server SP1 Itanium
• Microsoft, Windows 2003 Server x64
• Microsoft, Windows XP SP2 Professional x64
• Microsoft, Windows XP SP2
• Microsoft, Windows XP Professional x64

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-061. See References.

Consequences:

Gain Access

References:

• Billy (BK) Rios Blog, Tuesday, July 24th, 2007, Remote Command Execution in FireFox et al at http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/.
• BugTraq Mailing List, 2007-10-03 16:06:29, 0day: mIRC pwns Windows at http://marc.info/?l=bugtraq&m=119143780202107&w=2.
• Full-Disclosure Mailing List, Tue Jul 24 2007 - 19:02:10 CDT, More URI Handling Vulnerabilites (FireFox Remote Command Execution) at http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0546.html.
• Heise Security News, Report of 05.10.2007 14:45, URI problem also affects Acrobat Reader and Netscape at http://www.heise-security.co.uk/news/96982.
• HPSBST02291 SSRT071498, Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062 at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01287209&jumpid=reg_R1002_USEN.
• IBM Internet Security Systems Protection Alert, Oct. 15, 2007, Multiple vendor products URI handling command execution at http://www.iss.net/threats/276.html.
• IBM Internet Security Systems X-Force Database, Mozilla Firefox URI NULL byte filtering command execution at http://xforce.iss.net/xforce/xfdb/38321.
• IBM Internet Security Systems X-Force Database, Adobe Acrobat and Reader mailto: PDF code execution at http://xforce.iss.net/xforce/xfdb/36722.
• IBM Internet Security Systems X-Force Database, Multiple Mozilla products URI double-quote and space filtering command execution at http://xforce.iss.net/xforce/xfdb/38327.
• IBM Internet Security Systems X-Force Database, Netscape Navigator URI NULL byte filtering command execution at http://xforce.iss.net/xforce/xfdb/38322.
• IBM Internet Security Systems X-Force Database, Mozilla Firefox mailto: URI handling command execution at http://xforce.iss.net/xforce/xfdb/38326.
• IBM Internet Security Systems X-Force Database, Mozilla URI handling command execution at http://xforce.iss.net/xforce/xfdb/38325.
• IBM Internet Security Systems X-Force Database, Microsoft Outlook and Outlook Express URI handling command execution at http://xforce.iss.net/xforce/xfdb/38324.
• IBM Internet Security Systems X-Force Database, Multiple Mozilla products URI percent filtering command execution at http://xforce.iss.net/xforce/xfdb/38323.
• Microsoft Security Advisory (943521), URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution at http://www.microsoft.com/technet/security/advisory/943521.mspx.
• Microsoft Security Bulletin MS07-061, Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460) at http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx.
• Nortel Web site, Nortel Response to Microsoft Security Bulletin MS07-061 at http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=668436.
• SKYPE-SB/2007-001, Improper handling of URI arguments at http://skype.com/security/skype-sb-2007-001.html.
• ZDNet Blog October 10th, 2007, MS Outlook flaw adds new twist to URI handling saga at http://blogs.zdnet.com/security/?p=577.
• ASA-2007-471: MS07-061 Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
• BID-25945: Microsoft Windows URI Handler Command Execution Vulnerability
• CVE-2007-3896: The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid % sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications. NOTE: this issue might be related to other issues involving URL handlers in Windows systems, such as CVE-2007-3845. There also might be separate but closely related issues in the applications that are invoked by the handlers.
• SA26201: Microsoft Windows URI Handling Command Execution Vulnerability
• SECTRACK ID: 1018822: Adobe Acrobat URI Handling Bug Lets Remote Users Execute Arbitrary Code
• SECTRACK ID: 1018831: Microsoft Windows ShellExecute() URI Handler Bug Lets Remote Users Execute Arbitrary Commands
• US-CERT VU#403150: Microsoft Windows URI protocol handling vulnerability

Reported:

Jul 24, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page