Vulnerability Details : CVE-2010-1885
Public exploit exists!
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
Exploit prediction scoring system (EPSS) score for CVE-2010-1885
Probability of exploitation activity in the next 30 days: 97.37%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2010-1885
-
Microsoft Help Center XSS and Command Execution
Disclosure Date: 2010-06-09First seen: 2020-04-26exploit/windows/browser/ms10_042_helpctr_xss_cmd_execHelp and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of i
CVSS scores for CVE-2010-1885
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2010-1885
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-1885
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042
Microsoft Security Bulletin MS10-042 - Critical | Microsoft Docs
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11733
Repository / Oval Repository
-
http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx
Help and Support Center vulnerability full-disclosure posting – Microsoft Security Response CenterVendor Advisory
-
http://www.securityfocus.com/archive/1/511774/100/0/threaded
SecurityFocus
-
http://www.microsoft.com/technet/security/advisory/2219475.mspx
Technical documentation, API, and code examples | Microsoft DocsVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/59267
Microsoft Windows helpctr.exe command execution CVE-2010-1885 Vulnerability Report
-
http://www.securityfocus.com/archive/1/511783/100/0/threaded
SecurityFocus
-
http://www.kb.cert.org/vuls/id/578319
VU#578319 - Microsoft Windows Help and Support Center URI processing vulnerabilityUS Government Resource
-
http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
Windows Help Vulnerability Disclosure – Microsoft Security Response Center
-
http://www.vupen.com/english/advisories/2010/1417
Webmail | OVH- OVHVendor Advisory
-
http://www.securityfocus.com/bid/40725
Microsoft Windows Help And Support Center Trusted Document Whitelist Bypass VulnerabilityExploit
-
http://www.securitytracker.com/id?1024084
Microsoft Help and Support Center URL Escaping Flaw Lets Remote Users Execute Arbitrary Commands - SecurityTracker
-
http://www.us-cert.gov/cas/techalerts/TA10-194A.html
Microsoft Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html
Exploit
-
http://www.exploit-db.com/exploits/13808
Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044) - Windows remote Exploit
Products affected by CVE-2010-1885
- cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*