Advisory Details

February 9th, 2010

Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability

ZDI-10-016
ZDI-CAN-495

CVE ID CVE-2010-0027
CVSS SCORE 10.0, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Windows XP
Windows 2000
Windows Server 2003
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 9436. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to force a Microsoft Windows system to execute a given local executable. User interaction is required in that the target must access a malicious URL.

The specific flaw exists within the ShellExecute API. Using a specially formatted URL an attacker can bypass sanitization checks within this function and force the calling application into running an executable of their choice. Successful exploitation requires a useful binary to exist in a predictable location on the remote system.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx
DISCLOSURE TIMELINE
  • 2009-07-20 - Vulnerability reported to vendor
  • 2010-02-09 - Coordinated public release of advisory
CREDIT Brett Moore, Insomnia Security
BACK TO ADVISORIES