CVE-2004-0474
CVSS5.1
发布时间 :2004-07-07 00:00:00
修订时间 :2016-10-17 22:45:33
NMCOES    

[原文]Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue.


[CNNVD]Microsoft Windows XP HCP URI Handler任意命令执行漏洞 (CNNVD-200407-008)

        Help Center (HelpCtr.exe)存在漏洞。远程攻击者借助 “http://”或者“file://”参数到主题参数hcp:// URL读取或者执行任意文件。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_xp:::home

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0474
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0474
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200407-008
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0440.html
(VENDOR_ADVISORY)  FULLDISC  20040210 Re: HelpCtr - allow open any page or run
http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0450.html
(UNKNOWN)  FULLDISC  20040210 Re: HelpCtr - allow open any page or run
http://archives.neohapsis.com/archives/fulldisclosure/2004-02/0688.html
(UNKNOWN)  FULLDISC  20040213 Re: HelpCtr - allow open any page or run
http://marc.info/?l=bugtraq&m=107652584102003&w=2
(UNKNOWN)  BUGTRAQ  20040211 Re: HelpCtr - allow open any page or run
http://www.securityfocus.com/archive/1/353248
(UNKNOWN)  BUGTRAQ  20040207 HelpCtr - allow open any page or run
http://www.securityfocus.com/bid/9621
(VENDOR_ADVISORY)  BID  9621
http://xforce.iss.net/xforce/xfdb/15101
(VENDOR_ADVISORY)  XF  winxp-helpctr-hcp-xss(15101)

- 漏洞信息

Microsoft Windows XP HCP URI Handler任意命令执行漏洞
中危 输入验证
2004-07-07 00:00:00 2005-10-20 00:00:00
远程  
        Help Center (HelpCtr.exe)存在漏洞。远程攻击者借助 “http://”或者“file://”参数到主题参数hcp:// URL读取或者执行任意文件。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (23675)

Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability (EDBID:23675)
windows remote
2004-02-09 Verified
0 Bartosz Kwitkowski
N/A [点击下载]
source: http://www.securityfocus.com/bid/9621/info

The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link.

This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.

hcp://services/layout/contentonly?topic=...

where ... is a correct URL

http:// for page
file:/// for run (remember use / (slash) in path e.g. c:/windows/system32/...

The following additional example vectors have been supplied:
hcp://services/layout/fullwindow?topic=
hcp://services/centers/support?topic=

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.		

- 漏洞信息

15981
Microsoft Windows XP helpctr.exe Crafted URL Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

The Help Center ('HelpCtr.exe') in Microsoft Windows XP has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly triggered when issuing a 'http://' or 'file://' argument to the topic parameter in an 'hcp://' URL, which may allow a remote attacker to execute arbitrary commands. However, this flaw could not be validated.

- 时间线

2004-02-08 Unknow
Unknow Unknow

- 解决方案

The vulnerability reported is incorrect. No solution required.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability
Input Validation Error 9621
Yes No
2004-02-09 12:00:00 2009-07-12 02:06:00
Discovery of this vulnerability has been credited to Bartosz Kwitkowski <bartosz@wb.pl>.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home

- 漏洞讨论

The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link.

This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.

- 漏洞利用

The following examples have been supplied:

hcp://services/layout/contentonly?topic=...

where ... is a correct URL

http:// for page
file:/// for run (remember use / (slash) in path e.g. c:/windows/system32/...

The following additional example vectors have been supplied:
hcp://services/layout/fullwindow?topic=
hcp://services/centers/support?topic=

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站