cbcvebase.
CVE-2006-3281
published 2006-06-28

CVE-2006-3281: Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link…

PriorityP334medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
48.22%
98.7th percentile
Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

path%2e%2e%5cx.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}
otherCLSID {3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}
commandmkdir test && cd test && mkdir %2e%2e%5cx.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} && echo "" > test.html && cd .. && echo "alert('hallo')" > x.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}
processMSHTA
  • Detect directory names or file paths containing URL-encoded traversal sequences (%2e%2e%5c) combined with the HTA CLSID {3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} on SMB or WebDAV shares, which is the core exploit artifact.
  • Monitor for mshta.exe spawned from explorer.exe or iexplore.exe as a child process, particularly when the source path originates from a UNC/SMB or WebDAV path, indicating HTA execution via drag-and-drop exploitation.
  • Alert on SMB or WebDAV share access where directory or file names contain the literal string '%2e%2e%5c' or the CLSID '{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}', as these are hallmarks of the exploit payload structure.
  • The exploit can be delivered via WebDAV instead of SMB; monitor for mshta.exe execution triggered by WebDAV-hosted resources with HTA CLSID-named files.
  • ·The exploit requires user interaction (double-click) in its basic proof-of-concept form, but the researcher notes it can be modified to not require a double-click, lowering the interaction bar.
  • ·The exploit was demonstrated on Windows Server 2003 Enterprise SP1 and noted as potentially applicable to IE7 Beta 2 with modifications; detection scope should cover multiple Windows versions.
  • ·CSS tricks can be used to hide the malicious drag-and-drop element from the victim, making visual detection unreliable; network and process-based detections are more robust.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.