Home » 2010 » March » 3 » Insomnia : ISVA-100216.1 - Windows URL Handling Vulnerability
6:14 AM
Insomnia : ISVA-100216.1 - Windows URL Handling Vulnerability

 Insomnia Security Vulnerability Advisory: ISVA-100216.1

 Name: Windows URL Handling Vulnerability
 Released: 16 February 2010

 Vendor Link:

 Affected Products:
   Windows 2000, Windows XP, Windows 2003, Windows Vista

 Original Advisory:

   Brett Moore, Insomnia Security



A flaw exists with the handling of malformed URL's passed through
the ShellExeute() API. The vulnerability does not directly cause
an issue within Windows itself however, applications that call
the flawed API may be vulnerable to various attacks, one of which
is shown in this report.



The vulnerability is reached when the malformed URL contains #:
and can be used to reference local files.

Two such examples are shown here;

The results will be different dependant on where the URL is used
and which OS platform is in use.

Some examples are shown here;

   Calc.exe is executed without prompt

   User is prompted to execute calc.exe

Word Document
   User is prompted to open acrobat link

PDF Document
   Calc.exe is executed without prompt

   Firefox will not follow the URL

   Calc.exe is executed without prompt


 Potential Exploit

Safari will not access the local file through the standard
file:// link, but will execute the local file through the malformed

One method of executable delivery is through the onenote://
URL protocol if Microsoft OneNote is installed.

OneNote will automatically open and process a onenote file shared
over an SMB share. Any executables stored within the onenote file
will be cached locally. This is done by downloading the embedded
executables and storing them in a known location.


This file can then be executed through the URL handling vulnerability
leading to an automatic code execution issue through Safari.

Obviously there are some requirements for this exploit;
+ the target user name must be known
+ Microsoft OneNote must be installed
+ SMB access out must be allowed



Microsoft have released a security update to address this issue;



The information is provided for research and educational purposes
only. Insomnia Security accepts no liability in any form whatsoever
for any direct or indirect damages associated with the use of this

Insomnia Security Vulnerability Advisory: ISVA-100216.1

Views: 1123 | Added by: b1zz4rd | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *: