CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
3.8 | $0-$5k | 0.00 |
A vulnerability was found in Microsoft Windows 7/8/10/Vista (Operating System). It has been declared as problematic. This vulnerability affects an unknown function of the component Contact File Handler. The manipulation of the argument E-Mail Address
with the input value <a href="calc.exe">pwn@microsoft.com</a>
leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-80. The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. As an impact it is known to affect integrity.
The weakness was presented 01/22/2019 by John Page as not defined advisory (Website) via ZDI (Zero Day Initiative). The advisory is available at hyp3rlinx.altervista.org. The advisory contains:
This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields.The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. Technical details and also a public exploit are known. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 05/29/2020). This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project. The advisory points out:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user.
A public exploit has been developed by John Page and been published immediately after the advisory. It is possible to download the exploit at hyp3rlinx.altervista.org. It is declared as proof-of-concept. As 0-day the estimated underground price was around $5k-$25k. The advisory illustrates:
Additionally the executable file can live in a sub-directory and be referenced like "<a href="mydir\malicious.exe">pwn@microsoft.com</a>" or attackers can use directory traversal techniques to point to a malware say sitting in the targets Downloads directory like: <a href="..\..\..\..\Users\victim\Downloads\evil.exe">pwn@microsoft.com</a> Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Additional details are provided at youtube.com.
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 3.8
VulDB Base Score: 4.3
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Cross site scriptingCWE: CWE-80 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: John Page
Download: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Timeline
01/22/2019 🔍01/22/2019 🔍
04/15/2019 🔍
05/29/2020 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: hyp3rlinx.altervista.org
Researcher: John Page
Status: Not defined
scip Labs: https://www.scip.ch/en/?labs.20161215
Misc.: 🔍
Entry
Created: 04/15/2019 09:15Updated: 05/29/2020 16:16
Changes: 04/15/2019 09:15 (51), 05/29/2020 16:16 (2)
Complete: 🔍
Submitter: hyp3rlinx
Submit
Accepted
- Submit #61: Microsoft Windows ".contact" File HTML Injection Mailto: Link Remote Code Execution 0day ZDI-CAN-7591 (by hyp3rlinx)
No comments yet. Languages: en.
Please log in to comment.