[Snort-sigs] Microsoft MHTML URL Redirection Vulnerability
derekedw at ...144...
Thu Apr 22 20:28:13 EDT 2004
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL
Redirection Attempt"; flow:from_server,established;
content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380;
Summary: The "Microsoft MHTML URL Redirection Vulnerability" can allow
an attacker to run arbitrary code specified in malicious HTML provided
on a web server or in an e-mail message.
Impact: High on Microsoft Windows networks where Internet Explorer is
used. Deadly exploits can be constructed simply.
Detailed Information: According to Microsoft, "This vulnerability
occurs because of the way that Outlook Express processes specially
crafted MIME Encapsulation of Aggregate HTML(MHTML) URLs." A
specially-crafted MHTML URL can be used to execute arbitrary code
specified in a remote or local URL in the Local Machine security zone.
Affected Systems: Microsoft Windows
Ease of Attack: Trivial.
False Positives: None known.
False Negatives: This signature is susceptible to evasion where the
HTML includes '&;' or '%' escaped characters. The "http_decode"
preprocessor does not prevent this evasion, as MHTML requests are
Corrective Action: Install patch MS04-013 or stop using Internet
Contributors: Derek Edwards
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
More information about the Snort-sigs