Signature Detail

HTTP: Internet Explorer FTP Handler Remote Command Execution

This signature detects the download of a malicious Web page containing a malformed FTP URL. This URL can cause Microsoft Internet Explorer to execute additional commands on a remote FTP server without the user's knowledge.

Extended Description

Microsoft Internet Explorer is reported prone to an arbitrary FTP server command-execution vulnerability. This issue is due to the application's failure to properly sanitize user-supplied URI input before using it to execute FTP commands on remote servers. This vulnerability allows attackers to embed arbitrary FTP server commands in malicious URIs. Upon following this malicious URI, the victim user's browser will reportedly connect to the attacker-specified FTP server, and the malicious commands will be sent to the server. This may allow malicious files to be downloaded to the victim's computer without their knowledge. Other attacks are also likely possible. Note: Reportedly, this issue can be leveraged to send email to arbitrary addresses without user interaction.

Affected Products

• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.0.1 SP1
• Microsoft Internet Explorer 5.0.1 SP2
• Microsoft Internet Explorer 5.0.1 SP3
• Microsoft Internet Explorer 5.0.1 SP4
• Microsoft Internet Explorer 6.0
• Microsoft Internet Explorer 6.0 SP1
• Nortel Networks CallPilot 1002Rp
• Nortel Networks CallPilot 200I
• Nortel Networks CallPilot 201I
• Nortel Networks CallPilot 702T
• Nortel Networks CallPilot 703T
• Nortel Networks Centrex IP Client Manager
• Nortel Networks Centrex IP Element Manager
• Nortel Networks Contact Center - Agent Desktop Display
• Nortel Networks Symposium Agent

References

• BugTraq: 11826
• CVE: CVE-2004-1166
• URL: http://www.securityfocus.com/archive/1/383722/2004-12-06/2004-12-12/0
• URL: http://www.securitytracker.com/alerts/2004/Dec/1012444.html