CVE-2010-1885 The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL.
Zero Day Vulnerability in Windows Help Center CVE-2010-1885.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.
- Full Disclosure post by Tavis Ormandy
- Microsoft Security Advisory (2219475) Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- Microsoft Fix-It solution
- See a good description of this particular malware on CVE 2010-1885 exploited in the wild by Donato Ferrante - Sophos Labs
- Microsoft Help Center XSS and Command Execution Metasploit
- Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog)
- Video and exploit sequence explanation by Hardez
- CVE-2010-1885 Analysis:
Exploit methods and files involved are well described in Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog) You can download all the files described (except o.exe) from the download link below
Image from Trendlabs malware blog
File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared 5.0.0.30 2010.06.24 Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3 2010.06.24.00 2010.06.24 Exploit/Cve-2010-1885
AntiVir 8.2.4.2 2010.06.23 EXP/CVE-2010-1885
Avast 4.8.1351.0 2010.06.23 HTML:CVE-2010-1885-A
Avast5 5.0.332.0 2010.06.23 HTML:CVE-2010-1885-A
AVG 9.0.0.836 2010.06.23 Generic2_c.AMOL
BitDefender 7.2 2010.06.24 Exploit.CVE-2010-1885.A
CAT-QuickHeal 10.00 2010.06.23 HCP/CVE-2010-1885
Comodo 5198 2010.06.23 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.06.24 Exploit.Hcp
eSafe 7.0.17.0 2010.06.23 Win32.Exploit.HelpOv
eTrust-Vet 36.1.7663 2010.06.24 HTML/HCP.A
F-Secure 9.0.15370.0 2010.06.24 Exploit.CVE-2010-1885.A
GData 21 2010.06.24 Exploit.CVE-2010-1885.A
Ikarus T3.1.1.84.0 2010.06.24 Exploit.Win32.CVE-2010-1885
Kaspersky 7.0.0.125 2010.06.24 Exploit.HTML.CVE-2010-1885.a
McAfee 5.400.0.1158 2010.06.24 Exploit-HelpOverflow
McAfee-GW-Edition 2010.1 2010.06.23 Exploit-HelpOverflow
Microsoft 1.5902 2010.06.23 Exploit:Win32/CVE-2010-1885.A
NOD32 5223 2010.06.23 HTML/Exploit.CVE-2010-1885
nProtect 2010-06-23.02 2010.06.23 Exploit.CVE-2010-1885.A
PCTools 7.0.3.5 2010.06.24 Exploit.CVE_2010_1885
Sophos 4.54.0 2010.06.24 Mal/HcpExpl-A
Sunbelt 6498 2010.06.24 Exploit.HTML.HCP.a (v)
Symantec 20101.1.0.89 2010.06.24 Bloodhound.Exploit.337
TrendMicro 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
ViRobot 2010.6.21.3896 2010.06.24 JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5 : 62f4daf19da62595609d6a0c0089fcac
