header-logo
Suggest Exploit
vendor:
Windows XP
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary Command Execution
78
CWE
Product Name: Windows XP
Affected Version From: Windows XP SP1
Affected Version To: Windows XP SP1
Patch Exists: NO
Related CWE: N/A
CPE: o:microsoft:windows_xp
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002

Microsoft Windows XP HCP URI Handler Arbitrary Command Execution Vulnerability

The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link. This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.

Mitigation:

Users should avoid following untrusted HCP URIs.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9621/info

The Microsoft Windows XP HCP URI handler has been reported prone to a vulnerability that may provide for arbitrary command execution. The issue is reported to present itself when a specially formatted HCP URI that references a local resource is processed. A remote attacker may exploit this issue to have arbitrary commands executed in the context of the user who followed the link.

This issue has been reported to be present in Polish versions of Windows XP SP1; other versions may also be vulnerable.

hcp://services/layout/contentonly?topic=...

where ... is a correct URL

http:// for page
file:/// for run (remember use / (slash) in path e.g. c:/windows/system32/...

The following additional example vectors have been supplied:
hcp://services/layout/fullwindow?topic=
hcp://services/centers/support?topic=

Additional proof-of-concepts were provided in the "IE ms-its: and mk:@MSITStore: vulnerability" BugTraq post by Roozbeh Afrasiabi.

Navigation

Suggest Exploit

Services By CQR