Windows IE7 URI Handler command execution through Firefox

Added: 10/19/2007
CVE: CVE-2007-3896
BID: 25945
OSVDB: 41090

Background

The shell32.dll library provides functions which handle interaction between Internet Explorer and the Windows shell.

Problem

The version of the shell32.dll library installed with Internet Explorer 7 does not properly validate malformed URIs containing a percent character (%). This allows command execution when a user follows a specially crafted link in other applications, such as Firefox.

Resolution

Follow the recommendations in Microsoft Security Advisory 943521 and install a fix when available.

References

http://www.kb.cert.org/vuls/id/403150
http://archives.neohapsis.com/archives/bugtraq/2007-10/0070.html

Limitations

Exploit works on Microsoft Internet Explorer 7.0.5730.13 through Firefox 2.0.0.4.

The SAINTexploit host must be able to bind to port 69/UDP.

Exploit requires the PERL threads module to be installed on the SAINTexploit host.

Platforms

Windows XP

Back to exploit index