Vulnerability Name:

CVE-2007-3896 (CCN-35582)

Assigned:2007-07-24
Published:2007-07-24
Updated:2021-07-23
Summary:The URL handling in Shell32.dll in the Windows shell in Microsoft Windows XP and Server 2003, with Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid "%" sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe Reader, Skype, and other applications.
Note: this issue might be related to other issues involving URL handlers in Windows systems, such as CVE-2007-3845. There also might be separate but closely related issues in the applications that are invoked by the handlers.
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.7 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Tue Jul 24 2007 - 19:02:10 CDT
More URI Handling Vulnerabilites (FireFox Remote Command Execution)

Source: CCN
Type: ZDNet Blog October 10th, 2007
MS Outlook flaw adds new twist to URI handling saga

Source: MISC
Type: UNKNOWN
http://blogs.zdnet.com/security/?p=577

Source: MITRE
Type: CNA
CVE-2007-3896

Source: CCN
Type: HP Security Bulletin HPSBST02291 SSRT071498
Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-061 and MS07-062

Source: BUGTRAQ
Type: UNKNOWN
20071003 0day: mIRC pwns Windows

Source: CCN
Type: BugTraq Mailing List, 2007-10-03 16:06:29
0day: mIRC pwns Windows

Source: BUGTRAQ
Type: UNKNOWN
20071003 Re: 0day: mIRC pwns Windows

Source: BUGTRAQ
Type: UNKNOWN
20071005 URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071006 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071009 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071007 Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071005 URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071006 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071006 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071006 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071007 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: FULLDISC
Type: UNKNOWN
20071007 Re: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: CCN
Type: SA26201
Microsoft Windows URI Handling Command Execution Vulnerability

Source: SECUNIA
Type: Vendor Advisory
26201

Source: CCN
Type: SECTRACK ID: 1018822
Adobe Acrobat URI Handling Bug Lets Remote Users Execute Arbitrary Code

Source: CCN
Type: SECTRACK ID: 1018831
Microsoft Windows ShellExecute() URI Handler Bug Lets Remote Users Execute Arbitrary Commands

Source: SECTRACK
Type: UNKNOWN
1018831

Source: CCN
Type: SKYPE-SB/2007-001
Improper handling of URI arguments

Source: CCN
Type: ASA-2007-471
MS07-061 Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)

Source: CCN
Type: Nortel Web site
Nortel Response to Microsoft Security Bulletin MS07-061

Source: CCN
Type: Heise Security News, Report of 05.10.2007 14:45
URI problem also affects Acrobat Reader and Netscape

Source: MISC
Type: UNKNOWN
http://www.heise-security.co.uk/news/96982

Source: CCN
Type: IBM Internet Security Systems Protection Alert, Oct. 15, 2007
Multiple vendor products URI handling command execution

Source: CCN
Type: US-CERT VU#403150
Microsoft Windows URI protocol handling vulnerability

Source: CERT-VN
Type: US Government Resource
VU#403150

Source: CCN
Type: Microsoft Security Advisory (943521)
URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution

Source: MSKB
Type: UNKNOWN
943521

Source: CCN
Type: Microsoft Security Bulletin MS07-061
Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)

Source: BUGTRAQ
Type: UNKNOWN
20071004 Re[2]: 0day: mIRC pwns Windows

Source: BUGTRAQ
Type: UNKNOWN
20071004 Re: 0day: mIRC pwns Windows

Source: BUGTRAQ
Type: UNKNOWN
20071005 RE: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071006 Re[2]: URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071006 Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071006 Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071007 Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071007 Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071008 Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071009 RE: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071007 Re: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape,Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071008 Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Source: BUGTRAQ
Type: UNKNOWN
20071011 M$ will fix URI?

Source: BUGTRAQ
Type: UNKNOWN
20071014 Third-party patch for CVE-2007-3896 (Internet Explorer 7 invalid URI handling) available

Source: BUGTRAQ
Type: UNKNOWN
20071017 Re: Third-party patch for CVE-2007-3896, UPDATE NOW

Source: HP
Type: UNKNOWN
HPSBST02291

Source: BID
Type: UNKNOWN
25945

Source: CCN
Type: BID-25945
Microsoft Windows URI Handler Command Execution Vulnerability

Source: SECTRACK
Type: UNKNOWN
1018822

Source: CERT
Type: US Government Resource
TA07-317A

Source: CCN
Type: Billy (BK) Rios Blog, Tuesday, July 24th, 2007
Remote Command Execution in FireFox et al

Source: MISC
Type: UNKNOWN
http://xs-sniper.com/blog/remote-command-exec-firefox-2005/

Source: MS
Type: UNKNOWN
MS07-061

Source: XF
Type: UNKNOWN
multiple-uri-command-execution(35582)

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Multiple Mozilla products URI double-quote and space filtering command execution

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:4581

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:sp1:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows:2003_server:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:4581
    V
    		Windows URI Handling Vulnerability
    2007-12-24
    BACK
    microsoft windows 2003 server * sp2
    microsoft windows 2003 server * sp2
    microsoft windows 2003 server *
    microsoft windows xp * sp2
    microsoft windows xp * sp2
    microsoft windows 2003 server * sp2
    microsoft windows xp *
    microsoft windows 2003 server *
    microsoft windows 2003 server * sp1
    microsoft internet explorer 7.0
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium
    microsoft ie 7.0
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows xp sp2