Internet Explorer Telnet URI Insecure Loading

2011-08-16T00:00:00
ID SAINT:727CED0B38EE78AB3C2B2520C53C41AB
Type saint
Reporter SAINT Corporation
Modified 2011-08-16T00:00:00

Description

Added: 08/16/2011
CVE: CVE-2011-1961
BID: 49027
OSVDB: 74494

Background

A Uniform Resource Identifier (URI) allows a user to identify a name or a resource on the Internet while specifying the delivery protocol.

Problem

Unpatched versions of Internet Explorer versions 6 through 9 do not specify the path of the executable used to load the telnet.exe handler when loading URIs. If an attacker can get a target to open an HTML document from a SMB share that redirects to a telnet URI, and supplies a malicious telnet.exe file in the same path as the HTML document, the executable will be run on the target's system.

Resolution

Apply a patch. See Microsoft Security Bulletin MS11-057 for patch information.

References

<http://www.microsoft.com/technet/security/Bulletin/MS11-057.mspx>

Limitations

This exploit has been tested against Microsoft Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').

This exploit uploads files named 'report.html' and 'exploit.exe' to the supplied SMB share. The attack will succeed if a vulnerable user accesses the SMB share and double-clicks on the report.html file.
Please note that the exploit does not clean up these two files after executing and the user should delete them manually.

Platforms

Windows