Windows URL Validation Vulnerability (Feb 18, 2010)

By

A URL (Uniform Resource Locator) is a case insensitive string which has the following format:

: [ // ][ ] [ ? ] [ # ]

The Microsoft Windows operating system provides facilities to invoke different applications based on a URL. An application can be registered on a system to open a particular URL scheme, such as “mailto”, “nntp”, “telnet”, etc. When a user clicks a link with a scheme for which no application is registered, the Windows function ShellExecute() is called to directly handle the URL. The ShellExecute() functionality can be found in Windows Shell (shlwapi.dll) and Internet Explorer (ieframe.dll).

An input validation vulnerability exists in the ShellExecute() functionality. Specifically, the vulnerable code incorrectly parses the path section of a URL. When a URL contains a two byte character sequence #:, the vulnerable code incorrectly assumes the path is a valid drive. For example,

xyz://www.example.com#://../../C:/windows/system32/calc.exe

will make the Windows to run calc.exe.

Attackers can exploit this vulnerability by enticing a target user to click a link to a malicious URL; the link can exist in a web page or in a crafted document. Successful exploitation of this vulnerability would lead to arbitrary command execution. In the scenario where a malicious binary file is placed in a predictable location on the target system, this vulnerability can be exploited to execute arbitrary code with the privileges of the currently logged-in user.

Microsoft has released Security Bulletin MS10-007 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3167 MS Windows URL Validation Remote Command Execution (MS10-007)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.