Vulnerabilities > CVE-2010-0483 - Code Injection vulnerability in Microsoft products

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
CWE-94
nessus
exploit available
metasploit
NVD
Published: 2010-03-03
Updated: 2019-02-26

Summary

vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
7
Application
Microsoft
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

  • descriptionMicrosoft Internet Explorer 6 / 7 / 8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution Vulnerability. CVE-2010-0483. Remote exploit for win32 platform
    idEDB-ID:11615
    last seen2016-02-01
    modified2010-03-02
    published2010-03-02
    reporterMaurycy Prodeus
    sourcehttps://www.exploit-db.com/download/11615/
    titleMicrosoft Internet Explorer 6 / 7 / 8 - 'winhlp32.exe' 'MsgBox' Remote Code Execution Vulnerability
  • descriptionInternet Explorer Winhlp32.exe MsgBox Code Execution. CVE-2010-0483. Remote exploit for windows platform
    idEDB-ID:16541
    last seen2016-02-02
    modified2010-09-28
    published2010-09-28
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16541/
    titleMicrosoft Internet Explorer - Winhlp32.exe MsgBox Code Execution

Metasploit

descriptionThis module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionality will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning.
idMSF:EXPLOIT/WINDOWS/BROWSER/MS10_022_IE_VBSCRIPT_WINHLP32
last seen2020-05-21
modified2019-05-23
published2010-04-15
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb
titleMS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution

Msbulletin

bulletin_idMS10-022
bulletin_url
date2010-04-13T00:00:00
impactRemote Code Execution
knowledgebase_id981169
knowledgebase_url
severityImportant
titleVulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-022.NASL
descriptionThe installed version of the VBScript Scripting Engine allows an attacker to specify a Help file location when displaying a dialog box on a web page. If a user can be tricked into pressing the F1 key while such a dialog box is being displayed, an attacker can leverage this to cause the Windows Help System to load a specially crafted Help file, resulting in execution of arbitrary code subject to the user
last seen2020-06-01
modified2020-06-02
plugin id45509
published2010-04-13
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/45509
titleMS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)

Oval

  • accepted2015-08-10T04:01:09.422-04:00
    classvulnerability
    contributors
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentVBScript 5.6 is installed
      ovaloval:org.mitre.oval:def:28988
    • commentVBScript 5.1 is installed
      ovaloval:org.mitre.oval:def:28636
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentMicrosoft Windows Server 2003 (ia64) Gold is installed
      ovaloval:org.mitre.oval:def:396
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.7 is installed
      ovaloval:org.mitre.oval:def:29032
    • commentMicrosoft Windows 2000 is installed
      ovaloval:org.mitre.oval:def:85
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP x64 is installed
      ovaloval:org.mitre.oval:def:15247
    • commentMicrosoft Windows Server 2003 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1870
    • commentMicrosoft Windows Server 2003 (x64) is installed
      ovaloval:org.mitre.oval:def:730
    • commentVBScript 5.8 is installed
      ovaloval:org.mitre.oval:def:28109
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.8 is installed
      ovaloval:org.mitre.oval:def:28109
    • commentMicrosoft Windows Vista (32-bit) is installed
      ovaloval:org.mitre.oval:def:1282
    • commentMicrosoft Windows Vista x64 Edition is installed
      ovaloval:org.mitre.oval:def:2041
    • commentMicrosoft Windows Server 2008 (32-bit) is installed
      ovaloval:org.mitre.oval:def:4870
    • commentMicrosoft Windows Server 2008 (64-bit) is installed
      ovaloval:org.mitre.oval:def:5356
    • commentMicrosoft Windows Server 2008 (ia-64) is installed
      ovaloval:org.mitre.oval:def:5667
    • commentVBScript 5.8 is installed
      ovaloval:org.mitre.oval:def:28109
    • commentMicrosoft Windows 7 (32-bit) is installed
      ovaloval:org.mitre.oval:def:6165
    • commentMicrosoft Windows 7 x64 Edition is installed
      ovaloval:org.mitre.oval:def:5950
    • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
      ovaloval:org.mitre.oval:def:6438
    • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
      ovaloval:org.mitre.oval:def:5954
    • commentVBScript 5.8 is installed
      ovaloval:org.mitre.oval:def:28109
    • commentMicrosoft Windows 7 (32-bit) is installed
      ovaloval:org.mitre.oval:def:6165
    • commentMicrosoft Windows 7 x64 Edition is installed
      ovaloval:org.mitre.oval:def:5950
    • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
      ovaloval:org.mitre.oval:def:6438
    • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
      ovaloval:org.mitre.oval:def:5954
    • commentVBScript 5.8 is installed
      ovaloval:org.mitre.oval:def:28109
    descriptionvbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:7170
    statusaccepted
    submitted2010-03-13T13:00:00
    titleVBScript Help Keypress Vulnerability
    version81
  • classvulnerability
    contributors
    • nameDragos Prisaca
      organizationSymantec Corporation
    • nameJ. Daniel Brown
      organizationDTCC
    definition_extensions
    • commentMicrosoft Windows 2000 SP4 or later is installed
      ovaloval:org.mitre.oval:def:229
    • commentMicrosoft Windows XP (x86) SP2 is installed
      ovaloval:org.mitre.oval:def:754
    • commentMicrosoft Windows XP (x86) SP3 is installed
      ovaloval:org.mitre.oval:def:5631
    • commentMicrosoft Windows XP x64 Edition SP2 is installed
      ovaloval:org.mitre.oval:def:4193
    • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
      ovaloval:org.mitre.oval:def:1935
    • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
      ovaloval:org.mitre.oval:def:2161
    • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
      ovaloval:org.mitre.oval:def:1442
    descriptionvbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:8654
    statusdeprecated
    submitted2010-03-02T10:00:00
    titleRemote Code Execution vulnerability in VBScript
    version21

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/88398/ms10_022_ie_vbscript_winhlp32.rb.txt
idPACKETSTORM:88398
last seen2016-12-05
published2010-04-15
reporterMaurycy Prodeus
sourcehttps://packetstormsecurity.com/files/88398/Internet-Explorer-Winhlp32.exe-MsgBox-Code-Execution.html
titleInternet Explorer Winhlp32.exe MsgBox Code Execution

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 38463 CVE ID: CVE-2010-0483 Internet Explorer是Windows操作系统中默认捆绑的web浏览器。 用户可以使用VBScript从IE调用winhlp32.exe服务,如果向该服务传送了恶意的.HLP文件就会导致执行任意命令。 必需一些用户交互才可以触发这个漏洞,在显示MsgBox弹出框时用户需要按下F1。以下是MsgBox函数的句法: MsgBox(prompt[,buttons][,title][,helpfile,context]) 可向helpfile参数传送远程samba共享。此外helpfile参数超长时还可以触发栈溢出,但在XP上winhlp32.exe编译了/GS标记,可有效的防范栈溢出。 Microsoft Internet Explorer 8.0 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000SP4 Microsoft VBScript 5.8 Microsoft VBScript 5.7 Microsoft VBScript 5.6 Microsoft VBScript 5.1 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 网站提示时不要按下F1键。 * 限制对 Windows帮助系统的访问: echo Y | cacls "%windir%\winhlp32.exe" /E /R everyone * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。 * 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-022)以及相应补丁: MS10-022:Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-022.mspx?pf=true
    idSSV:19445
    last seen2017-11-19
    modified2010-04-14
    published2010-04-14
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-19445
    titleMicrosoft IE winhlp32.exe服务远程代码执行漏洞(MS10-022)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 38463 CVE(CAN) ID: CVE-2010-0483 Internet Explorer是Windows操作系统中默认捆绑的web浏览器。 用户可以使用VBScript从IE调用winhlp32.exe服务,如果向该服务传送了恶意的.HLP文件就会导致执行任意命令。 必需一些用户交互才可以触发这个漏洞,在显示MsgBox弹出框时用户需要按下F1。以下是MsgBox函数的句法: MsgBox(prompt[,buttons][,title][,helpfile,context]) 可向helpfile参数传送远程samba共享。此外helpfile参数超长时还可以触发栈溢出,但在XP上winhlp32.exe编译了/GS标记,可有效的防范栈溢出。 Microsoft Internet Explorer 8.0 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000SP4 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 网站提示时不要按下F1键。 * 限制对 Windows帮助系统的访问: echo Y | cacls "%windir%\winhlp32.exe" /E /R everyone * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。 * 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/windows/ie/default.asp
    idSSV:19211
    last seen2017-11-19
    modified2010-03-04
    published2010-03-04
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-19211
    titleInternet Explorer winhlp32.exe 'MsgBox()'远程代码执行漏洞

References