Windows URL Validation Vulnerability

A URL (Uniform Resource Locator) is a case insensitive string which has the following format:

: [ // ][ ] [ ? ] [ # ]

The Microsoft Windows operating system provides facilities to invoke different applications based on a URL. An application can be registered on a system to open a particular URL scheme, such as "mailto", "nntp", "telnet", etc. When a user clicks a link with a scheme for which no application is registered, the Windows function ShellExecute() is called to directly handle the URL. The ShellExecute() functionality can be found in Windows Shell (shlwapi.dll) and Internet Explorer (ieframe.dll).

An input validation vulnerability exists in the ShellExecute() functionality. Specifically, the vulnerable code incorrectly parses the path section of a URL. When a URL contains a two byte character sequence #:, the vulnerable code incorrectly assumes the path is a valid drive. For example,

xyz://www.example.com#://../../C:/windows/system32/calc.exe

will make the Windows to run calc.exe.

Attackers can exploit this vulnerability by enticing a target user to click a link to a malicious URL; the link can exist in a web page or in a crafted document. Successful exploitation of this vulnerability would lead to arbitrary command execution. In the scenario where a malicious binary file is placed in a predictable location on the target system, this vulnerability can be exploited to execute arbitrary code with the privileges of the currently logged-in user.

Microsoft has released Security Bulletin MS10-007 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

• 3167 MS Windows URL Validation Remote Command Execution (MS10-007)