HTTP: Malicious .MDB File Access through HTTP

This signature detects malicious .MDB files transmitted through HTTP. Attackers can craft a malicious MDB database and provide a HTTP link to a target system; when the user opens the link, the database is opened by the default handler (typically the MS-Jet DLL), which might enable the attacker to execute code.

Extended Description

Microsoft Jet Database Engine is vulnerable to a buffer-overflow vulnerability because the library fails to properly bounds-check the contents of user-supplied database files. Attackers may exploit this vulnerability to execute arbitrary machine code in the context of the victim trying to access a malicious Jet database file. This vulnerability is reported to reside in the 'msjet40.dll' library, version 4.00.8618.0. Older versions may also be affected. The 'msjetole40.dll' OLE (Object Linking and Embedding) library is reportedly immune to this vulnerability. The Backdoor.Hesive trojan is reported to employ this vulnerability to install itself on vulnerable computers. Please see the web reference for more information.

Affected Products

Microsoft access_2002

References

BugTraq: 26468 12960

CVE: CVE-2008-1092

URL: http://www.securitytracker.com/alerts/2005/Mar/1013618.html http://www.frsirt.com/english/advisories/2005/0306 http://www.hexview.com/docs/20050331-1.txt http://lists.grok.org.uk/pipermail/full-disclosure/2007-november/058531.html

Short Name

HTTP:STC:DL:MAL-MDB

Severity

Critical

Recommended

False

Recommended Action

Drop

HTTP: Malicious .MDB File Access through HTTP

Extended Description

Affected Products

References

Found a potential security threat?