header-logo
Suggest Exploit
vendor:
Windows
by:
Eduardo Braun Prado
7.8
CVSS
HIGH
URL Manipulation-Spoof Arbitrary Code Execution
20
CWE
Product Name: Windows
Affected Version From: Windows 7 SP1
Affected Version To: Windows 10 v.1809
Patch Exists: NO
Related CWE: N/A
CPE: microsoft:windows
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.
2019

Microsoft Windows ‘VCF’ or ‘Contact’ File URL Manipulation-Spoof Arbitrary Code Execution Vulnerability — Remote Vector

A vulnerability in Microsoft Windows allows an attacker to execute arbitrary code by manipulating the URL of a VCF or Contact file. This vulnerability affects Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

Mitigation:

Microsoft has not released a patch for this vulnerability yet. As a workaround, users should avoid opening VCF or Contact files from untrusted sources.
Source

Exploit-DB raw data:

# Exploit Title:  Microsoft Windows 'VCF' or 'Contact' File URL Manipulation-Spoof Arbitrary Code Execution Vulnerability -- Remote Vector

# Google Dork: N/A

# Date: January, 21 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# CVE : n/a


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46220.zip

Navigation

Suggest Exploit

Services By CQR