CVE-2010-1885 The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL.
Zero Day Vulnerability in Windows Help Center CVE-2010-1885.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.
- Full Disclosure post by Tavis Ormandy
- Microsoft Security Advisory (2219475) Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- Microsoft Fix-It solution
- See a good description of this particular malware on CVE 2010-1885 exploited in the wild by Donato Ferrante - Sophos Labs
- Microsoft Help Center XSS and Command Execution Metasploit
- Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog)
- Video and exploit sequence explanation by Hardez
- CVE-2010-1885 Analysis:
Exploit methods and files involved are well described in Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog) You can download all the files described (except o.exe) from the download link below
Image from Trendlabs malware blog
File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared 5.0.0.30 2010.06.24 Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3 2010.06.24.00 2010.06.24 Exploit/Cve-2010-1885
AntiVir 8.2.4.2 2010.06.23 EXP/CVE-2010-1885
Avast 4.8.1351.0 2010.06.23 HTML:CVE-2010-1885-A
Avast5 5.0.332.0 2010.06.23 HTML:CVE-2010-1885-A
AVG 9.0.0.836 2010.06.23 Generic2_c.AMOL
BitDefender 7.2 2010.06.24 Exploit.CVE-2010-1885.A
CAT-QuickHeal 10.00 2010.06.23 HCP/CVE-2010-1885
Comodo 5198 2010.06.23 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.06.24 Exploit.Hcp
eSafe 7.0.17.0 2010.06.23 Win32.Exploit.HelpOv
eTrust-Vet 36.1.7663 2010.06.24 HTML/HCP.A
F-Secure 9.0.15370.0 2010.06.24 Exploit.CVE-2010-1885.A
GData 21 2010.06.24 Exploit.CVE-2010-1885.A
Ikarus T3.1.1.84.0 2010.06.24 Exploit.Win32.CVE-2010-1885
Kaspersky 7.0.0.125 2010.06.24 Exploit.HTML.CVE-2010-1885.a
McAfee 5.400.0.1158 2010.06.24 Exploit-HelpOverflow
McAfee-GW-Edition 2010.1 2010.06.23 Exploit-HelpOverflow
Microsoft 1.5902 2010.06.23 Exploit:Win32/CVE-2010-1885.A
NOD32 5223 2010.06.23 HTML/Exploit.CVE-2010-1885
nProtect 2010-06-23.02 2010.06.23 Exploit.CVE-2010-1885.A
PCTools 7.0.3.5 2010.06.24 Exploit.CVE_2010_1885
Sophos 4.54.0 2010.06.24 Mal/HcpExpl-A
Sunbelt 6498 2010.06.24 Exploit.HTML.HCP.a (v)
Symantec 20101.1.0.89 2010.06.24 Bloodhound.Exploit.337
TrendMicro 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
ViRobot 2010.6.21.3896 2010.06.24 JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5 : 62f4daf19da62595609d6a0c0089fcac
2
File e2.ph.-n received on 2010.06.24 05:07:27 (UTC)
Result: 10/41 (24.39%)
a-squared 5.0.0.30 2010.06.24 Win32.SuspectCrc!IK
AhnLab-V3 2010.06.24.00 2010.06.24 Exploit/Cve-2010-1885
AntiVir 8.2.4.2 2010.06.23 JS/Dldr.Agent.ags
AVG 9.0.0.836 2010.06.23 JS/Generic
Ikarus T3.1.1.84.0 2010.06.24 Win32.SuspectCrc
McAfee-GW-Edition 2010.1 2010.06.23 Heuristic.LooksLike.JS.Suspicious.B
Microsoft 1.5902 2010.06.23 TrojanDownloader:JS/Adodb.F
Sunbelt 6498 2010.06.24 Exploit.HTML.HCP.a (v)
TrendMicro 9.120.0.1004 2010.06.24 JS_HCPDL.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.24 JS_HCPDL.A
File size: 495 bytes
MD5 : 61fc2470c3bb88f5128e4ff56f205f45
3 File hcpexp-a.ht.-n1 received on 2010.06.24 12:00:04 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/41 (17.08%)
a-squared 5.0.0.30 2010.06.24 Win32.SuspectCrc!IK
AhnLab-V3 2010.06.24.00 2010.06.24 Exploit/Cve-2010-1885
Ikarus T3.1.1.84.0 2010.06.24 Win32.SuspectCrc
Sophos 4.54.0 2010.06.24 Mal/HcpExpl-A
Sunbelt 6499 2010.06.24 Exploit.HTML.HCP.a (v)
TrendMicro 9.120.0.1004 2010.06.24 JS_HCPDL.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.24 JS_HCPDL.A
File size: 609 bytes
MD5...: 54cbf8255f2074d69ada2a20733412c5
4 http://www.virustotal.com/analisis/ef9da9a7b03e897e8f586b7a5a2274a0f678adb22ea6d04af3c488d9f7a8c80e-1277381519
File hcpexp-b.ht.-n2 received on 2010.06.24 12:11:59 (UTC)
Result: 25/40 (62.50%)
a-squared 5.0.0.30 2010.06.24 Exploit.HTML.HCP!IK
AhnLab-V3 2010.06.24.00 2010.06.24 Exploit/Cve-2010-1885
Avast 4.8.1351.0 2010.06.24 HTML:CVE-2010-1885-A
Avast5 5.0.332.0 2010.06.24 HTML:CVE-2010-1885-A
BitDefender 7.2 2010.06.24 Exploit.CVE-2010-1885.C
CAT-QuickHeal 10.00 2010.06.24 HCP/CVE-2010-1885
Comodo 5202 2010.06.24 UnclassifiedMalware
DrWeb 5.0.2.03300 2010.06.24 Exploit.Hcp
F-Secure 9.0.15370.0 2010.06.24 Exploit.CVE-2010-1885.C
GData 21 2010.06.24 Exploit.CVE-2010-1885.C
Ikarus T3.1.1.84.0 2010.06.24 Exploit.HTML.HCP
Kaspersky 7.0.0.125 2010.06.24 Exploit.HTML.HCP.a
McAfee 5.400.0.1158 2010.06.24 Exploit-CVE2010-1885
McAfee-GW-Edition 2010.1 2010.06.24 Exploit-CVE2010-1885
Microsoft 1.5902 2010.06.24 Exploit:Win32/CVE-2010-1885.A
NOD32 5224 2010.06.24 HTML/Exploit.CVE-2010-1885
Norman 6.05.10 2010.06.24 Exploit/CVE-2010-1885
nProtect 2010-06-24.01 2010.06.24 Exploit.CVE-2010-1885.C
PCTools 7.0.3.5 2010.06.24 HeurEngine.MaliciousExploit
Sophos 4.54.0 2010.06.24 Mal/HcpExpl-A
Sunbelt 6499 2010.06.24 Exploit.HTML.HCP.a (v)
Symantec 20101.1.0.89 2010.06.24 Bloodhound.Exploit.337
TrendMicro 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.24 TROJ_HCPEXP.A
ViRobot 2010.6.21.3896 2010.06.24 JS.S.Exploit.861
Additional information
File size: 861 bytes
MD5 : 2a8dd61b35b9426412b9d373daabae79
5 simple.asx
http://www.virustotal.com/analisis/65267e27757a91f370cc6866b5b31d84908b6a23ef9ca7e3bfdb54715f44dbdc-1277381067
File simple.as.-n received on 2010.06.24 12:04:27 (UTC)
Result: 4/41 (9.76%)
a-squared 5.0.0.30 2010.06.22 JS.Downloader.Agent!IK
AntiVir 8.2.2.6 2010.06.21 JS/Dldr.Agent.AGS.4
Ikarus T3.1.1.84.0 2010.06.22 JS.Downloader.Agent
Sunbelt 6483 2010.06.21 Exploit.HTML.HCP.a (v)
Additional information
File size: 216 bytes
MD5 : 91bf808b33ee7a0f928b53b3a75c7670
6. http://www.virustotal.com/analisis/f85699a40c6b094e86f4d43c0b46966f0c09aba71b6d525287c74093cb04e7f5-1277381258
File test.js.-n received on 2010.06.24 12:07:38 (UTC)
Result: 12/41 (29.27%)
a-squared 5.0.0.30 2010.06.22 Win32.SuspectCrc!IK
AhnLab-V3 2010.06.22.00 2010.06.22 Exploit/Cve-2010-1885
AntiVir 8.2.2.6 2010.06.21 JS/Dldr.Agent.AGS.3
AVG 9.0.0.787 2010.06.21 Generic2_c.ANAY
Ikarus T3.1.1.84.0 2010.06.22 Win32.SuspectCrc
McAfee-GW-Edition 2010.1 2010.06.22 Heuristic.LooksLike.JS.Suspicious.B
Microsoft 1.5902 2010.06.22 TrojanDownloader:JS/Adodb.G
nProtect 2010-06-21.01 2010.06.21 Script/W32.Agent.HN
Sunbelt 6483 2010.06.21 Exploit.HTML.HCP.a (v)
TrendMicro 9.120.0.1004 2010.06.22 JS_HCPDL.A
TrendMicro-HouseCall 9.120.0.1004 2010.06.22 JS_HCPDL.A
ViRobot 2010.6.21.3896 2010.06.22 JS.S.Exploit.794
Additional information
File size: 794 bytes
MD5 : 1682de49b9eafddbec850d1f282caf8d
7. o.exe (not available for download, sorry)
http://www.virustotal.com/analisis/5f85962f028ab06d02afb71ed6080dd57502ae58a00b6678dc10e1c6b94b6c6e-1276598854
or
http://www.virustotal.com/analisis/5f85962f028ab06d02afb71ed6080dd57502ae58a00b6678dc10e1c6b94b6c6e-1276650904
File o.exe received on 2010.06.15 10:47:34 (UTC)
Result: 2/41 (2.44%)
DrWeb 5.0.2.03300 2010.06.15 SCRIPT.Virus
Sophos 4.54.0 2010.06.16 Troj/Drop-FS
Additional information
File size: 13193076 bytes
MD5 : a2f8bafef7c0d3af2bd54466b3ec2fb2
No comments:
Post a Comment