TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
214
Signature ID: 1458
Microsoft Internet Explorer CHM File Execution via URL specified for ShowHelp Method
Vulnerability
Threat Level: Warning
Industry ID: CVE-2003-1014 CVE-2004-0475 CVE-2004-0201 CVE-2003-1041 Bugtraq: 9320,10348,10705
Signature Description: Microsoft Internet Explorer is vulnerable to a file execution vulnerability that may permit
unauthorized execution of locally stored compiled help files (.CHM). ShowHelp() method is used to launch the Help
file with the local HTML Help Windows application. The vulnerability specifically exists in ShowHelp() function
which can reference local compiled help files without any problem. By making use of other vulnerabilities a remote
attacker can plant a .CHM file on victim machine and that file can be executed with the help of this vulnerability. This
vulnerability can be exploited by constructing a web page that contains a reference to already planted .CHM file using
ShowHelp method which takes argument of the help file as an argument. The location of CHM file can be mentioned
by using HTML protocol which takes the form ms-its: or mk:@MSITStore: to ShowHelp method. It is also possible to
refer the CHM file by using directory traversal techniques and special syntax. Exploitation of this vulnerability would
require the user to visit a malicious website or otherwise visit a crafted URL and then take several interactive steps.
Administrators are advised to install the updates mentioned in MS04-023.
Signature ID: 1459
Microsoft Internet Explorer InstallEngineCtl SetCifFile Argument Buffer Overflow
Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0216 Bugtraq: 11366
Signature Description: Active Setup Technology in Microsoft Internet Explorer allows an installation program to
receive additional files from the Internet that are needed for program initialization. The Install Engine ActiveX control
(inseng.dll) module, which is part of the Active SetUp technology, contains a buffer overflow. The Active Setup
Controls ActiveX component 'asctrls.ocx' provides the properties BaseUrl and SetCifFile. BaseUrl takes one argument
which is the path where we will find downloaded components including cabinet files and SetCifFile takes two
arguments a cabinet file and a component information file to set the component information file (.cif). When calling the
SetCifFile() method if the first parameter (the '.cab' file name) is a string of length in excess of about 2kb, an integer
overflow occurs when attempting to calculate the buffer space allowed for copying the base url. This also leads to a
heap based overflow when the string provided as first parameter is concatenated onto the end of the BaseUrl.
Successful exploitation could execute arbitrary code with the privileges of the user logged on to the target machine. An
attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as
an HTML email. Administrators are advised to install the updates mentioned in MS04-038 or alternately user can set
killbit to the clsid 6E449683-C509-11CF-AAFA-00AA00B6015C to resolve this issue.
Signature ID: 1460
Microsoft Internet Explorer InstallEngineCtl SetCifFile Argument Buffer Overflow
Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0216
Bugtraq: 11366
Signature Description: Active Setup Technology in Microsoft Internet Explorer allows an installation program to
receive additional files from the Internet that are needed for program initialization. The Install Engine ActiveX control
(inseng.dll) module, which is part of the Active Set Up technology, contains a buffer overflow. The Active Setup
Controls ActiveX component 'asctrls.ocx' provides the properties BaseUrl and SetCifFile. BaseUrl takes one argument
which is the path where we will find downloaded components including cabinet files and SetCifFile takes two
arguments a cabinet file and a component information file to set the component information file (.cif). A .cif file
specifies all the files needed to install or update the software. When calling the SetCifFile() method if the first
parameter (the '.cab' file name) is a string of a length in excess of about 2kb, an integer overflow occurs when