[Snort-sigs] Microsoft MTHML URL Redirection Attempt; rev:2;

Derek Edwards derekedw at ...144...
Sat Apr 24 06:33:01 EDT 2004

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL
Redirection Attempt"; flow:from_server,established;
content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380;
classtype:web-application-attack; rev:2;)


Summary:  The "Microsoft MHTML URL Redirection Vulnerability" can allow
an attacker to run arbitrary code specified in malicious HTML provided
on a web server or in an e-mail message.

Impact:  High on Microsoft Windows networks where Internet Explorer is
used extensively.  Deadly exploits can be constructed simply.

Detailed Information:  According to Microsoft, "This vulnerability
occurs because of the way that Outlook Express processes specially
crafted MIME Encapsulation of Aggregate HTML(MHTML) URLs."  

Affected Systems:  Microsoft Windows

Attack Scenarios:  

Ease of Attack:

False Positives:  None known.

False Negatives:  This signature is susceptible to evasion where the
HTML includes '&;' or '%' escaped characters.  The "http_decode"
preprocessor does not prevent this evasion, as MHTML requests are
processed locally.

Corrective Action:  Install patch MS04-013 or stop using Internet

Contributors:  Derek Edwards

Additional References:

  Derek Edwards, CISSP/CEH                     derekedw at ...144...
                         Soli Deo Gloria

Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th

More information about the Snort-sigs mailing list