CVE-2010-0483
published 2010-03-03CVE-2010-0483: vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows…
PriorityP265high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
86.37%
99.7th percentile
vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Detect WebDAV requests (OPTIONS, PROPFIND, GET) for .hlp files originating from the WebDAV Mini-Redirector (MiniRedir) user-agent, which indicates exploitation of the MsgBox helpfile loading mechanism. ↗
- →Alert on HTTP User-Agent strings matching MiniRedir/5.1, MiniRedir/5.2, or MiniRedir/6.0 fetching .hlp files over WebDAV/HTTP port 80, as these indicate the Windows WebDAV redirector being leveraged by the exploit. ↗
- →Detect VBScript pages embedding a MsgBox call with a UNC path (\\<IP>\...) as the fourth (helpfile) argument, which is the trigger mechanism for CVE-2010-0483. ↗
- →Monitor for PROPFIND WebDAV requests for .hlp and .exe files on port 80, which are characteristic of the exploit's WebDAV server serving the malicious HLP and payload EXE. ↗
- →Social engineering indicator: monitor for web pages containing VBScript MsgBox calls instructing users to press F1, combined with a UNC or HTTP helpfile path argument. ↗
- ·The WebDAV-based exploit variant requires SRVPORT=80 and URIPATH=/ — exploitation via WebDAV only works if the WebDAV redirector is enabled on the target system. ↗
- ·The exploit also works via SMB (not just WebDAV), so blocking WebDAV alone is insufficient; SMB-based HLP file delivery must also be considered. ↗
- ·During testing, warnings about the payload EXE being unsigned were observed, which may alert users; future exploit variants may bypass this warning. ↗
- ·Affected platforms are Internet Explorer 6, 7, and 8 on Windows XP; Windows Vista/7 and Server 2008 are not listed as vulnerable targets in the exploit module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wq52-mm9r-c9xx: Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allo
ghsa_unreviewed·2022-05-02·CVSS 7.6
CVE-2010-0917 [HIGH] CWE-119 GHSA-wq52-mm9r-c9xx: Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allo
Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allow user-assisted remote attackers to execute arbitrary code via a long string in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution when the F1 key is pressed, a different vulnerability than CVE-2010-0483.
GHSA
GHSA-pc6r-6288-xqwh: vbscript
ghsa_unreviewed·2022-05-02
CVE-2010-0483 [HIGH] CWE-94 GHSA-pc6r-6288-xqwh: vbscript
vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - 'Winhlp32.exe' MsgBox Code Execution (MS10-023) (Metasploit)
exploitdb·2010-09-28
CVE-2010-0483 Microsoft Internet Explorer - 'Winhlp32.exe' MsgBox Code Execution (MS10-023) (Metasploit)
Microsoft Internet Explorer - 'Winhlp32.exe' MsgBox Code Execution (MS10-023) (Metasploit)
---
##
# $Id: ms10_022_ie_vbscript_winhlp32.rb 10504 2010-09-28 16:19:50Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer Winhlp32.exe MsgBox Code Execution',
'Description' => %q{
This module exploits a code execution vulnerability that occurs when a user
presses F1 on MessageBox originated from VBscript within a web page. When the
user hits F1, the MessageBox help functionaility will attempt to load and use
a HLP file from a
Exploit-DB
Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution
exploitdb·2010-03-02
CVE-2010-0483 Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution
Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution
---
Microsoft Internet Explorer is prone to a remote code execution vulnerability.
Source (iSEC Security Research):
http://isec.pl/vulnerabilities10.html
Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer.
Note attackers must use social-engineering techniques to convince an unsuspecting user to press the 'F1' key when the attacker's message box prompts them to do so.
Internet Explorer 6, 7, and 8 are vulnerable when running on the Windows XP platform.
A copy of test.hlp can be downloaded from here:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/
Metasploit
MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
metasploit
MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
MS10-022 Microsoft Internet Explorer Winhlp32.exe MsgBox Code Execution
This module exploits a code execution vulnerability that occurs when a user presses F1 on MessageBox originated from VBscript within a web page. When the user hits F1, the MessageBox help functionality will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning.
http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspxhttp://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspxhttp://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspxhttp://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txthttp://isec.pl/vulnerabilities10.htmlhttp://secunia.com/advisories/38727http://securitytracker.com/id?1023668http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Windows_XP_users_at_riskhttp://www.kb.cert.org/vuls/id/612021http://www.microsoft.com/technet/security/advisory/981169.mspxhttp://www.osvdb.org/62632http://www.securityfocus.com/bid/38463http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttp://www.vupen.com/english/advisories/2010/0485https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-022https://exchange.xforce.ibmcloud.com/vulnerabilities/56558https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7170https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8654https://www.metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_winhlp32.rbhttp://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspxhttp://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspxhttp://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspxhttp://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txthttp://isec.pl/vulnerabilities10.htmlhttp://secunia.com/advisories/38727http://securitytracker.com/id?1023668http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Windows_XP_users_at_riskhttp://www.kb.cert.org/vuls/id/612021http://www.microsoft.com/technet/security/advisory/981169.mspxhttp://www.osvdb.org/62632http://www.securityfocus.com/bid/38463http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/http://www.us-cert.gov/cas/techalerts/TA10-103A.htmlhttp://www.vupen.com/english/advisories/2010/0485https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-022https://exchange.xforce.ibmcloud.com/vulnerabilities/56558https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7170https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8654https://www.metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_winhlp32.rb
2010-03-03
Published