SMTP: HSC HCP URL Quote Script Execution
This signature detects attempts to exploit a known vulnerability in URL handling with the Microsoft Help and Support Center (HSC) when invoked with an hcp:// URL. By embedding a quote (") character in the URL, HSC can be instructed to load an arbitrary local file or remote Web page, which can then be used to execute scripts in the local zone.
Extended Description
Microsoft has reported a vulnerability in the Help and Support Center that is related to how HCP URIs are validated. This issue could reportedly be exploited via a malicious web page or HTML e-mail to execute arbitrary code on a client system. The issue may permit an attacker to inject invocation arguments when HCP URIs cause the HelpCtr.exe component to be executed. By placing malicious content into a known location on the system, whose contents the attacker may influence via a malicious web page, it is possible to exploit this issue to cause the malicious content to be executed in the Local Zone. It should be noted that the vulnerable functionality is included in Microsoft Windows ME but that the vendor has not considered this vulnerability to pose a serious threat to users of this operating system. The vendor has not qualified why the threat is reduced for Windows ME users.
Affected Products
Avaya s8100_media_servers,Microsoft windows_xp_tablet_pc_edition
Short Name
SMTP:EXPLOIT:HCP-QUOTE-SCRIPT
Severity
Major
Recommended
False
Recommended Action
Drop
Category
SMTP
Keywords
CVE-2003-0907 Execution HCP HSC Quote Script URL bid:10119
Release Date
04/20/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
5.1