Windows IE7 URI Handler command execution through Firefox

2007-10-19T00:00:00
ID SAINT:6A134A237B2527C669724A72BA9B2955
Type saint
Reporter SAINT Corporation
Modified 2007-10-19T00:00:00

Description

Added: 10/19/2007
CVE: CVE-2007-3896
BID: 25945
OSVDB: 41090

Background

The **shell32.dll** library provides functions which handle interaction between Internet Explorer and the Windows shell.

Problem

The version of the **shell32.dll** library installed with Internet Explorer 7 does not properly validate malformed URIs containing a percent character (**%**). This allows command execution when a user follows a specially crafted link in other applications, such as Firefox.

Resolution

Follow the recommendations in Microsoft Security Advisory 943521 and install a fix when available.

References

<http://www.kb.cert.org/vuls/id/403150>
<http://archives.neohapsis.com/archives/bugtraq/2007-10/0070.html>

Limitations

Exploit works on Microsoft Internet Explorer 7.0.5730.13 through Firefox 2.0.0.4.

The SAINTexploit host must be able to bind to port 69/UDP.

Exploit requires the PERL threads module to be installed on the SAINTexploit host.

Platforms

Windows XP