CVE-2010-1885
published 2010-06-15CVE-2010-1885: The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed…
PriorityP182critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.46%
99.5th percentile
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
snort↗
sid:16665
- →Snort SID 16665 fires on the Windows Help Center escape sequence XSS/injection attempt in hcp:// URIs; alert classification is 'Attempted User Privilege Gain', Priority 1. ↗
- →Exploit traffic originates from the attacker IP on port 80 and delivers a crafted hcp:// URL via an iframe; look for iframe-embedded hcp:// URIs containing the keyword 'crimepack' in HTTP responses. ↗
- →The vulnerability is triggered via invalid hexadecimal characters in the search topic parameter of an hcp:// URI, bypassing the fromHCP whitelist; detect malformed %xx escape sequences in hcp:// protocol handler invocations. ↗
- ·The ClamAV signature name differs between two Talos sources: one article cites 'BC.Exploit.CVE_2010_0815' while a later, more detailed analysis cites 'BC.Exploit.CVE_2010_1885'. The latter (matching the correct CVE number) is likely the authoritative signature name. ↗
- ·Unregistering the HCP protocol handler mitigates the vulnerability but breaks all legitimate hcp:// links (e.g. Control Panel help links); this is a disruptive workaround, not a patch. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3qv5-55f8-3w6h: The MPC::HexToNum function in helpctr
ghsa_unreviewed·2022-05-14
CVE-2010-1885 [HIGH] CWE-78 GHSA-3qv5-55f8-3w6h: The MPC::HexToNum function in helpctr
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
GHSA
GHSA-74v8-m33g-rpg6: Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2010-2265 [CRITICAL] CWE-79 GHSA-74v8-m33g-rpg6: Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc
Cross-site scripting (XSS) vulnerability in the GetServerName function in sysinfo/commonFunc.js in Microsoft Windows Help and Support Center for Windows XP and Windows Server 2003 allows remote attackers to inject arbitrary web script or HTML via the svr parameter to sysinfo/sysinfomain.htm. NOTE: this can be leveraged with CVE-2010-1885 to execute arbitrary commands without user interaction.
VulnCheck
Microsoft Windows Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2010·CVSS 9.3
CVE-2010-1885 [CRITICAL] Microsoft Windows Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Microsoft Windows Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.hkcert.org/blog/large-scale-injection-incidents-targeting-oscommerce-websites; https://www.tru
No detection rules found.
Exploit-DB
Microsoft Help Center - Cross-Site Scripting / Command Execution (MS10-042) (Metasploit)
exploitdb·2010-09-20
CVE-2010-1885 Microsoft Help Center - Cross-Site Scripting / Command Execution (MS10-042) (Metasploit)
Microsoft Help Center - Cross-Site Scripting / Command Execution (MS10-042) (Metasploit)
---
##
# $Id: ms10_042_helpctr_xss_cmd_exec.rb 10388 2010-09-20 04:37:25Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Help Center XSS and Command Execution',
'Description' => %q{
Help and Support Center is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in valida
Exploit-DB
Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)
exploitdb·2010-06-10
CVE-2010-1885 Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)
Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)
---
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
protocol handler the command line parameter /fromhcp is passed to the help
centre application. This flag switches the help centre into a restricted mode,
which will only perm
Metasploit
Microsoft Help Center XSS and Command Execution
metasploit
Microsoft Help Center XSS and Command Execution
Microsoft Help Center XSS and Command Execution
Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are av
Talos
Special Delivery -- Phoenix Exploit Kit
blogs_talos·2012-04-12·CVSS 9.3
[CRITICAL] Special Delivery -- Phoenix Exploit Kit
## Special Delivery -- Phoenix Exploit Kit
You would think that spam masquerading as a delivery company would be getting a little long in the tooth, but that isn't the case.Last week the winner was "DHL Attention 846698", which looks something like this:
Good day!
Dear Consumer , Recipient's address is wrong
PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER
With Best Wishes , DHL .com Customer Services
A nice present in the form of a zip file named "DHL-N-35385784.zip" came along with the email.It contained an html file which, in my case, was named "DHL_Letter_N88324.htm".This had 4 blocks of a pretty standard, obfuscated block of code that, when clicked, sent you off to a phoenix exploit kit sitting on a static IP address (no DNS name) on port 8080.
Talos
Special Delivery -- Phoenix Exploit Kit
blogs_talos·2012-04-12·CVSS 9.3
[CRITICAL] Special Delivery -- Phoenix Exploit Kit
You would think that spam masquerading as a delivery company would be getting a little long in the tooth, but that isn't the case.Last week the winner was "DHL Attention 846698", which looks something like this:
Good day!
Dear Consumer , Recipient's address is wrong
PLEASE FILL IN ATTACHED FILE WITH RIGHT ADDRESS AND RESEND TO YOUR PERSONAL MANAGER
With Best Wishes , DHL .com Customer Services
A nice present in the form of a zip file named "DHL-N-35385784.zip" came along with the email.It contained an html file which, in my case, was named "DHL_Letter_N88324.htm".This had 4 blocks of a pretty standard, obfuscated block of code that, when clicked, sent you off to a phoenix exploit kit sitting on a static IP address (no DNS name) on port 8080.
The exploit kit had a multi-capability PDF
Zscaler
Help Center URL Validation Vulnerability Campaign | Zscaler
blogs_zscaler·2011-05-06·CVSS 9.3
[CRITICAL] Help Center URL Validation Vulnerability Campaign | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Blackhole Exploits Kit Attack Growing | Zscaler
blogs_zscaler·2011-02-11
Blackhole Exploits Kit Attack Growing | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)
blogs_talos·2010-08-10·CVSS 9.3
CVE-2010-1885 [CRITICAL] Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)
## Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)
In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:
Pic.1: Help and Support Center
Notice the use of
Talos
Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)
blogs_talos·2010-08-10·CVSS 9.3
[CRITICAL] Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)
In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:
Pic.1: Help and Support Center
Notice the use of the keyword "crimepack" in the hcp:// request.
In a randomly named file (in this case, "bat.vbsautba" in
Talos
Increase in attacks on CVE-2010-1885
blogs_talos·2010-07-07·CVSS 9.3
CVE-2010-1885 [CRITICAL] Increase in attacks on CVE-2010-1885
Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has been available since at least mid-June and has been proven to work with Windows XP, and Windows Server 2003, other versions may also be affected. While a patch is still not available, you should plan on patching as soon as one is. In the meantime, be careful or better, unregister the HCP protocol (manually, or by using this tool provided by Microsoft). However, doing so will break all local links that
Talos
Increase in attacks on CVE-2010-1885
blogs_talos·2010-07-07·CVSS 9.3
CVE-2010-1885 [CRITICAL] Increase in attacks on CVE-2010-1885
## Increase in attacks on CVE-2010-1885
Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has been available since at least mid-June and has been proven to work with Windows XP, and Windows Server 2003, other versions may also be affected. While a patch is still not available, you should plan on patching as soon as one is. In the meantime, be careful or better, unregister the HCP protocol (manually, or by using this tool provided by Microsoft). However,
Zscaler
Zscaler Provides Protection for 3 Microsoft Vulnerabilities
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Provides Protection for 3 Microsoft Vulnerabilities
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.htmlhttp://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspxhttp://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspxhttp://secunia.com/advisories/40076http://www.exploit-db.com/exploits/13808http://www.kb.cert.org/vuls/id/578319http://www.microsoft.com/technet/security/advisory/2219475.mspxhttp://www.securityfocus.com/archive/1/511774/100/0/threadedhttp://www.securityfocus.com/archive/1/511783/100/0/threadedhttp://www.securityfocus.com/bid/40725http://www.securitytracker.com/id?1024084http://www.us-cert.gov/cas/techalerts/TA10-194A.htmlhttp://www.vupen.com/english/advisories/2010/1417https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042https://exchange.xforce.ibmcloud.com/vulnerabilities/59267https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11733http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.htmlhttp://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspxhttp://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspxhttp://secunia.com/advisories/40076http://www.exploit-db.com/exploits/13808http://www.kb.cert.org/vuls/id/578319http://www.microsoft.com/technet/security/advisory/2219475.mspxhttp://www.securityfocus.com/archive/1/511774/100/0/threadedhttp://www.securityfocus.com/archive/1/511783/100/0/threadedhttp://www.securityfocus.com/bid/40725http://www.securitytracker.com/id?1024084http://www.us-cert.gov/cas/techalerts/TA10-194A.htmlhttp://www.vupen.com/english/advisories/2010/1417https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042https://exchange.xforce.ibmcloud.com/vulnerabilities/59267https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11733
2010-06-15
Published
Exploited in the wild