CERT-In Vulnerability Note CIVN-2010-14
Windows Shell Handler URL Validation Vulnerability

Original Issue Date: February 11, 2010

Severity Rating: High

System Affected

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems

Overview

A vulnerability has been reported in Microsoft Windows shell handler; successful exploitation of the vulnerability could allow remote code execution on vulnerable system and provide complete control to the attacker.

Description

The Windows user interface (UI) provides users with access to a wide variety of objects necessary for running applications and managing the operating system. The most numerous and familiar of these objects are the folders and files that reside on computer disk drives. There are also a number of virtual objects that allow the user to perform tasks such as sending files to remote printers or accessing the Recycle Bin. The Shell organizes these objects into a hierarchical namespace and provides users and applications with a consistent and efficient way to access and manage objects.

ShellExecute is part of the Windows Shell application programming interface (API) functions. It performs an operation on a specified file. This could for instance mean invoking the correct handler for that specific file type.

A remote code execution vulnerability has been reported in "ShellExecute" API function which is caused due to the incorrect validation of input sent to the API function.

When an application, such as a Web browser, uses the "ShellExecute" API function to processes specially crafted data, "ShellExecute" may incorrectly validate that data stream and execute a binary from the local client system.

An attacker who successfully exploited this vulnerability could then run arbitrary code in context to the currently logged in user and could take complete control of affected system.

NOTE: This vulnerability affects Microsoft Internet Explorer and Windows Operating System as well. This issue was already addressed for Internet Explorer in Microsoft Security Bulletin MS10-002 and for Windows Operating system in Microsoft Security Bulletin MS10-007

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS10-007

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-007.mspx

References

Secunia
http://secunia.com/advisories/38501/

VUPEN
http://www.vupen.com/english/advisories/2010/0340

CERT-In
http://www.cert-in.org.in/advisory/ciad-2010-03.htm

CVE Name
CVE-2010-0027

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003