Windows Remote Execution Flaw – Binary Planting

The Register says at least 40 applications and the Windows operating system are vulnerable to remote-code execution. Here is the bit that caught my attention:

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV – the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.”

This immediately reminded me of CVE-2010-2568, the recent and infamous Windows shell exploit that also relied on the WebClient based on Web Distributed Authoring and Versionsing (WebDAV). Could it be coincidence or was someone researching that exploit — they tried the same attack vector from the network — when they found this one? I know I was asking why a WebDAV exploit was used for the USB-based attack and whether it would work with a network share. That itch is now scratched.

I wrote earlier

WebClient is even disabled by default in server versions of Windows since 2003.

That contradicts The Register but it is true. I just checked again and as far as I can tell not all Windows systems have WebClient enabled. Many more should probably have it disabled by default.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.