ID CVE-2010-3147
Summary Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a Trojan horse wab32res.dll file in the current working directory, as demonstrated by a directory that contains a Windows Address Book (WAB), VCF (aka vCard), or P7C file, aka "Insecure Library Loading Vulnerability." NOTE: the codebase for this product may overlap the codebase for the product referenced in CVE-2010-3143.
References
Vulnerable Configurations
  • Microsoft Outlook Express 6.00.2900.5512
    cpe:2.3:a:microsoft:outlook_express:6.00.2900.5512
  • Microsoft Windows 2003 Server Service Pack 2
    cpe:2.3:o:microsoft:windows_2003_server:-:sp2
  • Microsoft Windows 2003 Server Service Pack 2 Itanium
    cpe:2.3:o:microsoft:windows_2003_server:-:sp2:itanium
  • Microsoft Windows 7
    cpe:2.3:o:microsoft:windows_7
  • Microsoft Windows 7
    cpe:2.3:o:microsoft:windows_7
  • Microsoft Windows Server 2003 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2003:-:sp2
  • cpe:2.3:o:microsoft:windows_server_2008:-:itanium
    cpe:2.3:o:microsoft:windows_server_2008:-:itanium
  • cpe:2.3:o:microsoft:windows_server_2008:-:x32
    cpe:2.3:o:microsoft:windows_server_2008:-:x32
  • cpe:2.3:o:microsoft:windows_server_2008:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:-:x64
  • Windows Server 2008 R2 for Itanium-based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:r2:itanium
  • Windows Server 2008 R2 for x64-based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:r2:x64
  • Windows Server 2008 Service Pack 2 for 32-bit systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x32
  • Microsoft Windows Server 2008 Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64
  • Microsoft Windows Server 2008 Service Pack 2 for Itanium-Based Systems
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium
  • Microsoft Windows Vista Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_vista:-:sp1
  • Microsoft Windows Vista Service Pack 1 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp1:x64
  • Microsoft Windows Vista Service Pack 2
    cpe:2.3:o:microsoft:windows_vista:-:sp2
  • Microsoft Windows Vista Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_vista:-:sp2:x64
  • Microsoft Windows Vista Service Pack 1 (initial release)
    cpe:2.3:o:microsoft:windows_vista:-:sp1
  • Microsoft Windows XP Service Pack 3
    cpe:2.3:o:microsoft:windows_xp:-:sp3
  • Microsoft Windows XP Service Pack 2 x64 (64-bit)
    cpe:2.3:o:microsoft:windows_xp:-:sp2:x64
CVSS
Base: 9.3 (as of 30-08-2010 - 10:14)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Microsoft Address Book 6.00.2900.5512 DLL Hijacking Exploit (wab32res.dll). CVE-2010-3143,CVE-2010-3147. Local exploit for windows platform
    file exploits/windows/local/14745.c
    id EDB-ID:14745
    last seen 2016-02-01
    modified 2010-08-25
    platform windows
    port
    published 2010-08-25
    reporter Beenu Arora
    source https://www.exploit-db.com/download/14745/
    title Microsoft Address Book 6.00.2900.5512 DLL Hijacking Exploit wab32res.dll
    type local
  • description Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll). CVE-2010-3143,CVE-2010-3147. Local exploit for windows platform
    file exploits/windows/local/14778.c
    id EDB-ID:14778
    last seen 2016-02-01
    modified 2010-08-25
    platform windows
    port
    published 2010-08-25
    reporter storm
    source https://www.exploit-db.com/download/14778/
    title Microsoft Windows Contacts DLL Hijacking Exploit wab32res.dll
    type local
  • description Microsoft Windows 7 wab.exe DLL Hijacking Exploit (wab32res.dll). CVE-2010-3143,CVE-2010-3147. Local exploit for windows platform
    id EDB-ID:14733
    last seen 2016-02-01
    modified 2010-08-24
    published 2010-08-24
    reporter TheLeader
    source https://www.exploit-db.com/download/14733/
    title Microsoft Windows 7 - wab.exe DLL Hijacking Exploit wab32res.dll
msbulletin via4
bulletin_id MS10-096
bulletin_url
date 2010-12-14T00:00:00
impact Remote Code Execution
knowledgebase_id 2423089
knowledgebase_url
severity Important
title Vulnerability in Windows Address Book Could Allow Remote Code Execution
nessus via4
NASL family Windows : Microsoft Bulletins
NASL id SMB_NT_MS10-096.NASL
description The remote Windows host contains a version of Windows Address Book that incorrectly restricts the path used for loading external libraries. If an attacker can trick a user on the affected system into opening a specially crafted Windows Address Book file located in the same network directory as a specially crafted dynamic link library (DLL) file, this issue could be leveraged to execute arbitrary code subject to the user's privileges.
last seen 2019-02-21
modified 2018-11-15
plugin id 51168
published 2010-12-15
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=51168
title MS10-096: Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)
oval via4
accepted 2014-06-30T04:00:20.347-04:00
class vulnerability
contributors
  • name Josh Turpin
    organization Symantec Corporation
  • name Dragos Prisaca
    organization Symantec Corporation
  • name Josh Turpin
    organization Symantec Corporation
  • name Maria Mikhno
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Windows XP (x86) SP3 is installed
    oval oval:org.mitre.oval:def:5631
  • comment Microsoft Windows XP x64 Edition SP2 is installed
    oval oval:org.mitre.oval:def:4193
  • comment Microsoft Windows Server 2003 SP2 (x86) is installed
    oval oval:org.mitre.oval:def:1935
  • comment Microsoft Windows Server 2003 SP2 (x64) is installed
    oval oval:org.mitre.oval:def:2161
  • comment Microsoft Windows Server 2003 (ia64) SP2 is installed
    oval oval:org.mitre.oval:def:1442
  • comment Microsoft Windows Vista (32-bit) Service Pack 1 is installed
    oval oval:org.mitre.oval:def:4873
  • comment Microsoft Windows Vista x64 Edition Service Pack 1 is installed
    oval oval:org.mitre.oval:def:5254
  • comment Microsoft Windows Server 2008 (32-bit) is installed
    oval oval:org.mitre.oval:def:4870
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6124
  • comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:5594
  • comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    oval oval:org.mitre.oval:def:5653
  • comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6216
  • comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    oval oval:org.mitre.oval:def:6150
  • comment Microsoft Windows 7 (32-bit) is installed
    oval oval:org.mitre.oval:def:6165
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
description Untrusted search path vulnerability in wab.exe 6.00.2900.5512 in Windows Address Book in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges via a Trojan horse wab32res.dll file in the current working directory, as demonstrated by a directory that contains a Windows Address Book (WAB), VCF (aka vCard), or P7C file, aka "Insecure Library Loading Vulnerability." NOTE: the codebase for this product may overlap the codebase for the product referenced in CVE-2010-3143.
family windows
id oval:org.mitre.oval:def:12352
status accepted
submitted 2010-06-08T13:00:00
title Insecure Library Loading Vulnerability
version 32
refmap via4
cert TA10-348A
exploit-db 14745
misc http://www.attackvector.org/new-dll-hijacking-exploits-many/
ms MS10-096
sectrack 1024878
secunia 41050
Last major update 07-06-2013 - 22:55
Published 27-08-2010 - 15:00
Last modified 26-02-2019 - 09:04
Back to Top