Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability

February 9th, 2010
ZDI-10-016 ZDI-CAN-495

CVE ID

CVE-2010-0027

CVSS Score

10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C

Affected Vendors

Microsoft

Affected Products

Windows XP
Windows 2000
Windows Server 2003

Vulnerability Details

This vulnerability allows remote attackers to force a Microsoft Windows system to execute a given local executable. User interaction is required in that the target must access a malicious URL.

The specific flaw exists within the ShellExecute API. Using a specially formatted URL an attacker can bypass sanitization checks within this function and force the calling application into running an executable of their choice. Successful exploitation requires a useful binary to exist in a predictable location on the remote system.

Additional Details

Microsoft has issued an update to correct this vulnerability. More details can be found at:
http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx

Disclosure Timeline

  • 2009-07-20 - Vulnerability reported to vendor
  • 2010-02-09 - Coordinated public release of advisory

Credit

Brett Moore, Insomnia Security

Back to Advisories