CVE-2004-1043
published 2004-12-31CVE-2004-1043: Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control…
PriorityP264medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.98%
98.6th percentile
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for .HTA files written to any All Users Startup folder path across multiple locales (English, Spanish, French, German, etc.), as the exploit drops a malicious HTA to achieve persistence via autorun. ↗
- →Detect ADODB.Connection instantiation with a Microsoft Text Driver connecting to a remote HTTP URL (Dbq=http://...), which is the mechanism used to fetch and execute the payload script. ↗
- →Detect use of ADODB.recordset Save method writing to Startup folder paths, a key persistence step in this exploit chain. ↗
- →Detect msxml2.XMLHTTP used in combination with adodb.stream savetofile to drop executables to disk (C:\malware.exe), a classic in-browser download-and-execute pattern triggered from the injected HTA payload. ↗
- →Alert on HHClick() JavaScript method calls originating from web content, particularly chained with setTimeout, as this is the trigger mechanism for the HTML Help ActiveX cross-domain exploitation. ↗
- →Detect hhctrl.ocx being invoked from Internet Explorer to open local-zone Help files (tools.htm / PCHealth), which is the initial cross-domain boundary bypass step. ↗
- ·The exploit targets Internet Explorer 6.0 specifically on Windows XP SP2; the attack path and file drop locations are specific to this OS/browser combination and will not apply to later Windows versions with different profile path structures. ↗
- ·The Startup folder path used to drop the .HTA persistence payload varies by Windows locale (Spanish, French, German, Danish, Dutch, Polish, Italian, Finnish, Turkish, Norwegian, Swedish, Portuguese); detection rules must account for all locale variants. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f6q2-pg79-66p3: Internet Explorer 6
ghsa_unreviewed·2022-04-29
CVE-2004-1043 [MEDIUM] GHSA-f6q2-pg79-66p3: Internet Explorer 6
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."
VulnCheck
Microsoft Internet Explorer HTML Help ActiveX control Cross Domain Vulnerability
vulncheck·2004·CVSS 5.0
CVE-2004-1043 [MEDIUM] Microsoft Internet Explorer HTML Help ActiveX control Cross Domain Vulnerability
Microsoft Internet Explorer HTML Help ActiveX control Cross Domain Vulnerability
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-12/0426.htmlhttp://www.kb.cert.org/vuls/id/972415http://www.us-cert.gov/cas/techalerts/TA05-012B.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-001https://exchange.xforce.ibmcloud.com/vulnerabilities/18311https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1349https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1963https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2830https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3496http://archives.neohapsis.com/archives/bugtraq/2004-12/0426.htmlhttp://www.kb.cert.org/vuls/id/972415http://www.us-cert.gov/cas/techalerts/TA05-012B.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-001https://exchange.xforce.ibmcloud.com/vulnerabilities/18311https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1349https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1963https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2830https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3496
2004-12-31
Published
Exploited in the wild