[Snort-sigs] Microsoft MTHML URL Redirection Attempt; rev:2;

Derek Edwards derekedw at ...144...
Sat Apr 24 06:33:01 EDT 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL
Redirection Attempt"; flow:from_server,established;
content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx;
classtype:web-application-attack; rev:2;)


--
Sid:

--
Summary:  The "Microsoft MHTML URL Redirection Vulnerability" can allow
an attacker to run arbitrary code specified in malicious HTML provided
on a web server or in an e-mail message.

--
Impact:  High on Microsoft Windows networks where Internet Explorer is
used extensively.  Deadly exploits can be constructed simply.

--
Detailed Information:  According to Microsoft, "This vulnerability
occurs because of the way that Outlook Express processes specially
crafted MIME Encapsulation of Aggregate HTML(MHTML) URLs."  

--
Affected Systems:  Microsoft Windows

--
Attack Scenarios:  

--
Ease of Attack:

--
False Positives:  None known.

--
False Negatives:  This signature is susceptible to evasion where the
HTML includes '&;' or '%' escaped characters.  The "http_decode"
preprocessor does not prevent this evasion, as MHTML requests are
processed locally.

--
Corrective Action:  Install patch MS04-013 or stop using Internet
Explorer.

--
Contributors:  Derek Edwards

-- 
Additional References:


=====
--  
  Derek Edwards, CISSP/CEH                     derekedw at ...144...
                         Soli Deo Gloria

__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html




More information about the Snort-sigs mailing list