Microsoft Windows showHelp Arbitrary Code Execution

2004-07-13T16:45:54
ID OSVDB:7803
Type osvdb
Reporter Arman Nayyeri(arman-n@phreaker.net)
Modified 2004-07-13T16:45:54

Description

Vulnerability Description

MS Windows contains a flaw that allows a remote attacker to execute arbitrary code outside of the web path. The issue is due to the showhelp() function not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URL target.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

MS Windows contains a flaw that allows a remote attacker to execute arbitrary code outside of the web path. The issue is due to the showhelp() function not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URL target.

Manual Testing Notes

showHelp("mk:@MSITStore:iexplore.chm::..\..\..\..\chmfile.chm::/fileinchm.html");

References:

Secunia Advisory ID:12059 Related OSVDB ID: 7804 Microsoft Security Bulletin: MS04-023 Microsoft Knowledge Base Article: 840315 Mail List Post: http://www.securityfocus.com/archive/1/348521 ISS X-Force ID: 14105 Generic Exploit URL: http://www.freewebs.com/arman2/showamp.htm CVE-2003-1041 Bugtraq ID: 9320