10.14.35 Insomnia : ISVA-100216.1 - Windows URL Handling Vulnerability | |
| ______________________________ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ______________________________ Name: Windows URL Handling Vulnerability Released: 16 February 2010 Vendor Link: http://www.microsoft.com/ Affected Products: Windows 2000, Windows XP, Windows 2003, Windows Vista Original Advisory: http://www.insomniasec.com/ Researcher: Brett Moore, Insomnia Security http://www.insomniasec.com ______________________________ _______________ Description _______________ A flaw exists with the handling of malformed URL's passed through the ShellExeute() API. The vulnerability does not directly cause an issue within Windows itself however, applications that call the flawed API may be vulnerable to various attacks, one of which is shown in this report. _______________ Details _______________ The vulnerability is reached when the malformed URL contains #: and can be used to reference local files. Two such examples are shown here; acrobat://test/#://../../c:/ or anything://test/#://../../c:/ The results will be different dependant on where the URL is used and which OS platform is in use. Some examples are shown here; Start->Run Calc.exe is executed without prompt IE URL Bar or HREF User is prompted to execute calc.exe Word Document User is prompted to open acrobat link PDF Document Calc.exe is executed without prompt Firefox Firefox will not follow the URL Safari Calc.exe is executed without prompt ___________________ Potential Exploit ___________________ Safari will not access the local file through the standard file:// link, but will execute the local file through the malformed link. One method of executable delivery is through the onenote:// URL protocol if Microsoft OneNote is installed. OneNote will automatically open and process a onenote file shared over an SMB share. Any executables stored within the onenote file will be cached locally. This is done by downloading the embedded executables and storing them in a known location. C:/Users/[USERNAME]/AppData/ _Files/ This file can then be executed through the URL handling vulnerability leading to an automatic code execution issue through Safari. Obviously there are some requirements for this exploit; + the target user name must be known + Microsoft OneNote must be installed + SMB access out must be allowed _______________ Solution _______________ Microsoft have released a security update to address this issue; http://www.microsoft.com/ http://www.microsoft.com/ _______________ Legals _______________ The information is provided for research and educational purposes only. Insomnia Security accepts no liability in any form whatsoever for any direct or indirect damages associated with the use of this information. ______________________________ Insomnia Security Vulnerability Advisory: ISVA-100216.1 ______________________________ | |
|
| |
| Total comments: 0 | |