cbcvebase.
CVE-2010-0483
published 2010-03-03

CVE-2010-0483: vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows…

PriorityP265high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
86.37%
99.7th percentile
vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

ip184.73.14.110
path\\184.73.14.110\PUBLIC\test.hlp
filenameruncalc.hlp
filenamecalc.exe
commandMsgBox "please press F1 to save the world", ,"please save the world", big, 1
commandMsgBox "Welcome! Press F1 to dismiss this dialog.", ,"Welcome!", "#{unc}", 1
  • Detect WebDAV requests (OPTIONS, PROPFIND, GET) for .hlp files originating from the WebDAV Mini-Redirector (MiniRedir) user-agent, which indicates exploitation of the MsgBox helpfile loading mechanism.
  • Alert on HTTP User-Agent strings matching MiniRedir/5.1, MiniRedir/5.2, or MiniRedir/6.0 fetching .hlp files over WebDAV/HTTP port 80, as these indicate the Windows WebDAV redirector being leveraged by the exploit.
  • Detect VBScript pages embedding a MsgBox call with a UNC path (\\<IP>\...) as the fourth (helpfile) argument, which is the trigger mechanism for CVE-2010-0483.
  • Monitor for PROPFIND WebDAV requests for .hlp and .exe files on port 80, which are characteristic of the exploit's WebDAV server serving the malicious HLP and payload EXE.
  • Social engineering indicator: monitor for web pages containing VBScript MsgBox calls instructing users to press F1, combined with a UNC or HTTP helpfile path argument.
  • ·The WebDAV-based exploit variant requires SRVPORT=80 and URIPATH=/ — exploitation via WebDAV only works if the WebDAV redirector is enabled on the target system.
  • ·The exploit also works via SMB (not just WebDAV), so blocking WebDAV alone is insufficient; SMB-based HLP file delivery must also be considered.
  • ·During testing, warnings about the payload EXE being unsigned were observed, which may alert users; future exploit variants may bypass this warning.
  • ·Affected platforms are Internet Explorer 6, 7, and 8 on Windows XP; Windows Vista/7 and Server 2008 are not listed as vulnerable targets in the exploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.