HTTP: Internet Explorer Text Help Zone Bypass

This signature detects attempts to invoke the HTML Help ActiveX control in a Web page, with the location of the help file set to a local file. If attackers previously placed a help file on the local drive, they can use this exploit to execute code with user privileges on a target host running Microsoft Internet Explorer.

Extended Description

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) is prone to a vulnerability that may permit cross-zone scripting. The HTML Help control is a component that allows help functionality to be inserted in an HTML file. It is possible to exploit this vulnerability through Internet Explorer or other applications that use the same HTML rendering engine. Specifically, it is possible to coerce Internet Explorer to open remote HTML Help content within the Windows Help system. It has been previously reported that this issue required a second issue (namely BID 11466) to place malicious code onto the affected computer. However this has recently been shown to be untrue; this issue alone may be used to execute code in other Security Zones such as the Local Zone. An attacker could also exploit this issue in a cross-domain scripting attack that allows script code to access the properties of a window in a foreign domain. The original proof-of-concept that uses the issue outlined in BID 11466, as well as the later proof of concepts employ various ADODB methods such as ADODB.Connection and ADODB.recordset to write malicious arbitrary code to the file system, in the form of an '.HTA' type file. Update: A new variant of this attack is available that could allow for execution of arbitrary script code in other domains and other zones.

Affected Products

Microsoft windows_server_2003_datacenter_edition

Short Name
HTTP:STC:IE:TEXT-HELP-ZONE-BP
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Bypass CVE-2004-1043 Explorer Help Internet Text Zone bid:11467
Release Date
10/27/2004
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3336
False Positive
Unknown
Vendors

Nortel_networks

Microsoft

CVSS Score

5.0

Found a potential security threat?