CVE-2013-0810
published 2013-09-11CVE-2013-0810: Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via…
PriorityP270high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
59.88%
99.0th percentile
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers to execute arbitrary code via a crafted screensaver in a theme file, aka "Windows Theme File Remote Code Execution Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Detect .theme files containing a [boot] section with a UNC (\\server\share\file.scr) path as the Screen Saver value, which is the exploit delivery mechanism. ↗
- →Monitor for outbound SMB connections (port 445/139) initiated by explorer.exe or desk.cpl shortly after a .theme file is opened or applied, as the exploit triggers an SMB fetch of a remote .scr payload. ↗
- →Alert on .scr files being loaded from UNC/SMB paths (\\<remote>\...) as a screensaver, which is abnormal and indicative of CVE-2013-0810 exploitation. ↗
- ·The Metasploit module targets only Windows XP SP3 and Windows 2003 SP2; exploitation on other listed affected platforms (Vista SP2, Server 2008 SP2) may require different targeting. ↗
- ·The UNC share name and .scr filename are randomly generated per session, so static filename-based IOCs will not reliably detect all instances; focus on behavioral patterns (UNC screensaver path in .theme files) instead. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
exploitdb·2020-01-29·CVSS 8.1
CVE-2018-8413 [HIGH] Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
---
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attacke
Exploit-DB
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)
exploitdb·2013-09-23
CVE-2013-0810 Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)
Microsoft Windows Theme File Handling - Arbitrary Code Execution (MS13-071) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
'Description' => %q{
This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
section. An arbitrary path can be used as screen saver, including a remote SMB resource,
which allows for remote code execution when a malic
Metasploit
MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
metasploit
MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution
This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot] section. An arbitrary path can be used as screen saver, including a remote SMB resource, which allows for remote code execution when a malicious .theme file is opened, and the "Screen Saver" tab is viewed. The code execution is also triggered if the victim installs the malicious theme and stays away from the computer, when Windows tries to display the screensaver.
No writeups or analysis indexed.
http://www.us-cert.gov/ncas/alerts/TA13-253Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18579http://www.us-cert.gov/ncas/alerts/TA13-253Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18579
2013-09-11
Published