Signature Detail

HTTP: Microsoft Windows Folder GUID Code Execution

This signature detects attempts to exploit a known vulnerability in Microsoft Windows. The vulnerability is caused by an error during the handling of directories containing CLSID extensions. An attacker can exploit this vulnerability by enticing a user into executing a malicious HTA file via a specially crafted web page or file share. In an attack case where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.

Extended Description

Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.

Affected Products

• microsoft ie 6.0

References

• BugTraq: 19389
• CVE: CVE-2006-3281