| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.2 | $0-$5k | 0.00 |
A vulnerability classified as very critical was found in Microsoft Windows Server 2003/XP (Operating System). Affected by this vulnerability is an unknown part of the component URI Handler. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. As an impact it is known to affect confidentiality, and integrity. The summary by CVE is:
The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid "%" sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications. NOTE: this issue might be related to other issues involving URL handlers in Windows systems, such as CVE-2007-3845. There also might be separate but closely related issues in the applications that are invoked by the handlers.
The bug was discovered 07/24/2007. The weakness was presented 07/26/2007 by Billy Rios (Website). It is possible to read the advisory at xs-sniper.com. This vulnerability is known as CVE-2007-3896 since 07/19/2007. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are unknown but a public exploit is available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/15/2021).
It is possible to download the exploit at securityfocus.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 28183 (MS07-061: Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l.
The problem might be mitigated by replacing the product with as an alternative. A possible mitigation has been published 4 months after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 12687. In this case the pattern |22|.bat is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 5704.
The vulnerability is also documented in the databases at X-Force (35582) and Tenable (28183).
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 6.2
VulDB Base Score: 6.5
VulDB Temp Score: 6.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 28183
Nessus Name: MS07-061: Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 68991
OpenVAS Name: Adobe Reader URI Handler Remote Code Execution Vulnerabilities Oct07 (Windows)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Saint ID: exploit_info/windows_ie7_uri_firefox
Saint Name: Windows IE7 URI Handler command execution through Firefox
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: AlternativeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Snort ID: 12687
Snort Message: WEB-CLIENT Microsoft Windows ShellExecute and IE7 url handling code execution attempt
Snort Pattern: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
07/19/2007 🔍07/24/2007 🔍
07/26/2007 🔍
07/26/2007 🔍
07/26/2007 🔍
08/02/2007 🔍
10/05/2007 🔍
10/05/2007 🔍
10/10/2007 🔍
10/14/2007 🔍
10/18/2007 🔍
11/13/2007 🔍
11/13/2007 🔍
03/15/2021 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: xs-sniper.com
Researcher: Billy Rios
Status: Confirmed
CVE: CVE-2007-3896 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 35582
SecurityTracker: 1018831
Vulnerability Center: 16496 - [MS07-061] Internet Explorer 7 URL Handling Error Allows Remote Code Execution, Medium
SecurityFocus: 25945 - Microsoft Windows URI Handler Command Execution Vulnerability
Secunia: 26201
OSVDB: 41090 - Microsoft Windows w/ IE7 Shell32.dll Crafted URL Third-party Application Arbitrary Command Execution
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 08/02/2007 18:57Updated: 03/15/2021 16:06
Changes: 08/02/2007 18:57 (111), 09/05/2019 13:36 (1), 03/15/2021 16:06 (2)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.