cbcvebase.
CVE-2010-1885
published 2010-06-15

CVE-2010-1885: The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed…

PriorityP182critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
75.46%
99.5th percentile
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

domainvvvvvv.dyndns-mail.com
ip46.254.16.61
domaingoodgirlsbadguys.com
ip213.155.12.144
otherBC.Exploit.CVE_2010_0815
otherBC.Exploit.CVE_2010_1885
pathc:\Documents and Settings\user\Local Settings\Temp\bat.vbsautba
filenameD.vbs
port8080
filenameDHL-N-35385784.zip
filenameDHL_Letter_N88324.htm
snort
sid:16665
  • Snort SID 16665 fires on the Windows Help Center escape sequence XSS/injection attempt in hcp:// URIs; alert classification is 'Attempted User Privilege Gain', Priority 1.
  • Exploit traffic originates from the attacker IP on port 80 and delivers a crafted hcp:// URL via an iframe; look for iframe-embedded hcp:// URIs containing the keyword 'crimepack' in HTTP responses.
  • The vulnerability is triggered via invalid hexadecimal characters in the search topic parameter of an hcp:// URI, bypassing the fromHCP whitelist; detect malformed %xx escape sequences in hcp:// protocol handler invocations.
  • ·The ClamAV signature name differs between two Talos sources: one article cites 'BC.Exploit.CVE_2010_0815' while a later, more detailed analysis cites 'BC.Exploit.CVE_2010_1885'. The latter (matching the correct CVE number) is likely the authoritative signature name.
  • ·Unregistering the HCP protocol handler mitigates the vulnerability but breaks all legitimate hcp:// links (e.g. Control Panel help links); this is a disruptive workaround, not a patch.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.