Signature Detail

HTTP: Malicious .MDB File Access through HTTP

This signature detects malicious .MDB files transmitted through HTTP. Attackers can craft a malicious MDB database and provide a HTTP link to a target system; when the user opens the link, the database is opened by the default handler (typically the MS-Jet DLL), which might enable the attacker to execute code.

Extended Description

Microsoft Jet Database Engine is vulnerable to a buffer-overflow vulnerability because the library fails to properly bounds-check the contents of user-supplied database files. Attackers may exploit this vulnerability to execute arbitrary machine code in the context of the victim trying to access a malicious Jet database file. This vulnerability is reported to reside in the 'msjet40.dll' library, version 4.00.8618.0. Older versions may also be affected. The 'msjetole40.dll' OLE (Object Linking and Embedding) library is reportedly immune to this vulnerability. The Backdoor.Hesive trojan is reported to employ this vulnerability to install itself on vulnerable computers. Please see the web reference for more information.

Affected Products

• Microsoft Access 2000 SP2
• Microsoft Access 2000 SP3
• Microsoft Access 2000 SR1
• Microsoft Access 2000
• Microsoft Access 2002 SP1
• Microsoft Access 2002 SP2
• Microsoft Access 2002
• Microsoft Access 2003
• Microsoft JET 2.0
• Microsoft JET 2.5
• Microsoft JET 3.0
• Microsoft JET 3.5
• Microsoft JET 3.51
• Microsoft JET 3.51 SP3
• Microsoft JET 4.0
• Microsoft JET 4.0 SP1
• Microsoft JET 4.0 SP2
• Microsoft JET 4.0 SP3
• Microsoft JET 4.0 SP4
• Microsoft JET 4.0 SP5
• Microsoft JET 4.0 SP6
• Microsoft JET 4.0 SP7

References

• BugTraq: 12960
• CVE: CVE-2005-0944
• CVE: CVE-2007-6026
• CVE: CVE-2008-1092
• URL: http://www.securitytracker.com/alerts/2005/Mar/1013618.html
• URL: http://www.frsirt.com/english/advisories/2005/0306
• URL: http://www.hexview.com/docs/20050331-1.txt