HighBlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia Network IPS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, Proventia Network MFS, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology:
This signature detects a URI that looks like an attempt to trigger command execution in vulnerable hosts.
High
BlackICE PC Protection: 3.6cqq, RealSecure Network: XPU 27.100, RealSecure Server Sensor: XPU 27.100, Proventia Network IPS: XPU 27.100, Proventia Desktop: 2110, Proventia-G 1.1 and earlier: XPU 27.100, Proventia Server IPS for Linux technology: 27.100, Proventia Network MFS: XPU 27.100, BlackICE Server Protection: 3.6.cqq, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2110
Microsoft Internet Explorer: 7, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows XP: SP2 x64-Professional, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows XP: x64-Professional, Microsoft Windows 2003 Server: SP1, HP Storage Management Appliance: 2.1, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2
Unauthorized Access Attempt
A vulnerability in the Microsoft Windows protocol handler on Windows XP and Windows 2000 systems with Internet Explorer 7 installed could allow a remote attacker to execute arbitrary commands on the system. This vulnerability is caused by improper handling of certain Uniform Resource Identifiers (URIs), including the mailto, nntp, news, snews, and telnet protocol handlers. By persuading a victim to visit a specially-crafted Web page that calls one of the vulnerable protocol handlers, a remote attacker could exploit this vulnerability to inject and execute arbitrary shell commands on the system.
Note: This vulnerability has multiple attack vectors that are exploitable via multiple 3rd party applications. These applications include Mozilla Firefox, Adobe Reader, Adobe Acrobat, Microsoft Outlook, Skype, and possibly other applications. See References for more information.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS07-061. See References.
Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/943521.mspx
ZDNet Blog October 10th, 2007
MS Outlook flaw adds new twist to URI handling saga
http://blogs.zdnet.com/security/?p=577
Heise Security News, Report of 05.10.2007 14:45
URI problem also affects Acrobat Reader and Netscape
http://www.heise-security.co.uk/news/96982
BugTraq Mailing List, 2007-10-03 16:06:29
0day: mIRC pwns Windows
http://marc.info/?l=bugtraq&m=119143780202107&w=2
Billy (BK) Rios Blog, Tuesday, July 24th, 2007
Remote Command Execution in FireFox et al
http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/
Full-Disclosure Mailing List, Tue Jul 24 2007 - 19:02:10 CDT
More URI Handling Vulnerabilites (FireFox Remote Command Execution)
http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0546.html
IBM Internet Security Systems X-Force Database
Multiple Mozilla products URI double-quote and space filtering command execution
http://xforce.iss.net/xforce/xfdb/38327
IBM Internet Security Systems X-Force Database
Adobe Acrobat and Reader mailto: PDF code execution
http://xforce.iss.net/xforce/xfdb/36722
IBM Internet Security Systems X-Force Database
Mozilla Firefox URI NULL byte filtering command execution
http://xforce.iss.net/xforce/xfdb/38321
IBM Internet Security Systems X-Force Database
Netscape Navigator URI NULL byte filtering command execution
http://xforce.iss.net/xforce/xfdb/38322
IBM Internet Security Systems X-Force Database
Multiple Mozilla products URI percent filtering command execution
http://xforce.iss.net/xforce/xfdb/38323
IBM Internet Security Systems X-Force Database
Microsoft Outlook and Outlook Express URI handling command execution
http://xforce.iss.net/xforce/xfdb/38324
IBM Internet Security Systems X-Force Database
Mozilla URI handling command execution
http://xforce.iss.net/xforce/xfdb/38325
IBM Internet Security Systems X-Force Database
Mozilla Firefox mailto: URI handling command execution
http://xforce.iss.net/xforce/xfdb/38326
Microsoft Security Bulletin MS07-061
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)
http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx
IBM Internet Security Systems Protection Alert, Oct. 15, 2007
Multiple vendor products URI handling command execution
http://www.iss.net/threats/276.html
Nortel Web site
Nortel Response to Microsoft Security Bulletin MS07-061
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=668436
HPSBST02291 SSRT071498
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01287209&jumpid=reg_R1002_USEN
SKYPE-SB/2007-001
Improper handling of URI arguments
http://skype.com/security/skype-sb-2007-001.html
ISS X-Force
Microsoft Windows URI protocol handling command execution
http://www.iss.net/security_center/static/35582.php
CVE
CVE-2007-3896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3896