CVE-2010-0027
published 2010-01-22CVE-2010-0027: The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.98%
98.2th percentile
The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability."
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; classtype:attempted-user; sid:2010798; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit payloads use crafted URIs containing path traversal sequences ('../../') combined with a Windows absolute path ('C:\') to escape to the local filesystem and execute arbitrary local programs via ShellExecute or IE URL handling. ↗
- →The vulnerability can also be triggered via any application calling the ShellExecute() API with attacker-controlled input, not just Internet Explorer — broaden detection scope beyond browser traffic. ↗
- →The Emerging Threats Snort rule (SID 2010798) targets inbound HTTP responses (to_client) containing the traversal+Windows path pattern, suitable for perimeter/IDS deployment. ↗
- ·The Snort rule inspects HTTP response body (to_client, file.data) — ensure your IDS/IPS is configured to inspect full HTTP response payloads, not just headers, for this rule to fire. ↗
- ·The ET rule metadata lists confidence as 'Medium' — expect potential false positives; tune the PCRE pattern against your environment before enabling block mode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL RPC portmap kcms_server request UDP
suricata·2010-09-23
CVE-2003-0027 GPL RPC portmap kcms_server request UDP
GPL RPC portmap kcms_server request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0027, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL RPC portmap kcms_server request TCP
suricata·2010-09-23
CVE-2003-0027 GPL RPC portmap kcms_server request TCP
GPL RPC portmap kcms_server request TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:12; metadata:created_at 2010_09_23, cve CVE_2003_0027, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL RPC kcms_server directory traversal attempt
suricata·2010-09-23
CVE-2003-0027 GPL RPC kcms_server directory traversal attempt
GPL RPC kcms_server directory traversal attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:established,to_server; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:13; metadata:created_at 2010_09_23, cve CVE_2003_0027, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; tar
Suricata
ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt
suricata·2010-07-30
CVE-2010-0027 ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt
ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; classtype:attempted-user; sid:2010798; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_10, mitre_tactic_id TA0001, mitre
No writeups or analysis indexed.
http://www.securityfocus.com/archive/1/509470/100/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-10-016/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-007https://exchange.xforce.ibmcloud.com/vulnerabilities/55773https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8464http://www.securityfocus.com/archive/1/509470/100/0/threadedhttp://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-10-016/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-007https://exchange.xforce.ibmcloud.com/vulnerabilities/55773https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8464
2010-01-22
Published