HTTP: Internet Explorer HTML Help Zone Bypass
This signature detects attempts to invoke the HTML Help ActiveX control in a web page with the location of the help file set to a local file. If attackers have previously placed a help file on the local drive, they can use this exploit to execute code with user privileges on a target host running Microsoft Internet Explorer.
Extended Description
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."
Affected Products
Microsoft internet_explorer
References
BugTraq: 11467
CVE: CVE-2004-1043
URL: http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx http://www.kb.cert.org/vuls/id/939688
Short Name
HTTP:STC:IE:HTML-HELP-ZONE-BP
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
Bypass CVE-2004-1043 Explorer HTML Help Internet Zone bid:11467
Release Date
10/27/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft
CVSS Score
5.0