CVE-2010-3147 in Windowsinfo

Summary

by MITRE

Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a Trojan horse wab32res.dll file in the current working directory, as demonstrated by a directory that contains a Windows Address Book (WAB), VCF (aka vCard), or P7C file, aka "Insecure Library Loading Vulnerability." NOTE: the codebase for this product may overlap the codebase for the product referenced in CVE-2010-3143.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/21/2025

The vulnerability described in CVE-2010-3147 represents a classic insecure library loading flaw that affects the Windows Address Book application wab.exe across multiple windows versions. This issue stems from the application's failure to properly validate the search path when loading dynamic link libraries, creating a privilege escalation vector that can be exploited by local attackers. The vulnerability specifically manifests when wab.exe attempts to load the wab32res.dll file, which is typically located in system directories but can be manipulated through malicious file placement in the current working directory. This insecure behavior directly aligns with CWE-427, which addresses uncontrolled search path dependencies, and CWE-428, which covers unquoted search paths, both of which are fundamental security weaknesses in application design.

The operational impact of this vulnerability extends beyond simple privilege escalation to encompass broader system compromise potential. When a user opens a Windows Address Book file, VCF file, or P7C file from a directory containing a malicious wab32res.dll, the system loads the attacker-controlled library instead of the legitimate one, allowing the malicious code to execute with the privileges of the target user. This vulnerability operates under the ATT&CK framework's technique T1068, which covers local privilege escalation through application flaws, and T1547, which covers registry run keys and startup folder modifications. The attack vector is particularly insidious because it leverages user interaction with common file types, making it difficult to detect and prevent through traditional network-based security measures.

Security researchers have identified this vulnerability as part of a broader class of issues affecting Windows applications that improperly handle dynamic library loading, with overlapping codebases between related vulnerabilities such as CVE-2010-3143. The exploitation process requires local access and involves placing a malicious DLL in the same directory as a legitimate WAB file, making it a persistent threat in environments where users frequently interact with address book files. Microsoft addressed this issue through patching mechanisms that enforced proper DLL loading behavior and restricted the search path to prevent loading libraries from untrusted locations. Organizations should implement comprehensive patch management programs to address this vulnerability, as well as employ security awareness training to prevent users from opening suspicious files from untrusted directories. The vulnerability demonstrates the critical importance of proper library loading practices in application security, particularly in operating systems where multiple applications may share common code paths and dependencies.

Reservation

08/27/2010

Disclosure

08/27/2010

Moderation

accepted

Entry

VDB-54555

CPE

ready

Exploit

Download

EPSS

0.18675

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!