CVE-2006-3281
published 2006-06-28CVE-2006-3281: Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link…
PriorityP334medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
48.22%
98.7th percentile
Microsoft Internet Explorer 6.0 does not properly handle Drag and Drop events, which allows remote user-assisted attackers to execute arbitrary code via a link to an SMB file share with a filename that contains encoded ..\ (%2e%2e%5c) sequences and whose extension contains the CLSID Key identifier for HTML Applications (HTA), aka "Folder GUID Code Execution Vulnerability." NOTE: directory traversal sequences were used in the original exploit, although their role is not clear.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmkdir test && cd test && mkdir %2e%2e%5cx.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} && echo "" > test.html && cd .. && echo "alert('hallo')" > x.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}↗
- →Detect directory names or file paths containing URL-encoded traversal sequences (%2e%2e%5c) combined with the HTA CLSID {3050f4d8-98B5-11CF-BB82-00AA00BDCE0B} on SMB or WebDAV shares, which is the core exploit artifact. ↗
- →Monitor for mshta.exe spawned from explorer.exe or iexplore.exe as a child process, particularly when the source path originates from a UNC/SMB or WebDAV path, indicating HTA execution via drag-and-drop exploitation. ↗
- →Alert on SMB or WebDAV share access where directory or file names contain the literal string '%2e%2e%5c' or the CLSID '{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}', as these are hallmarks of the exploit payload structure. ↗
- →The exploit can be delivered via WebDAV instead of SMB; monitor for mshta.exe execution triggered by WebDAV-hosted resources with HTA CLSID-named files. ↗
- ·The exploit requires user interaction (double-click) in its basic proof-of-concept form, but the researcher notes it can be modified to not require a double-click, lowering the interaction bar. ↗
- ·The exploit was demonstrated on Windows Server 2003 Enterprise SP1 and noted as potentially applicable to IE7 Beta 2 with modifications; detection scope should cover multiple Windows versions. ↗
- ·CSS tricks can be used to hide the malicious drag-and-drop element from the victim, making visual detection unreliable; network and process-based detections are more robust. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.objhttp://secunia.com/advisories/20825http://securitytracker.com/id?1016388http://www.kb.cert.org/vuls/id/655100http://www.securityfocus.com/bid/19389http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/2553https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-045https://exchange.xforce.ibmcloud.com/vulnerabilities/27456https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A318http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047398.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.objhttp://secunia.com/advisories/20825http://securitytracker.com/id?1016388http://www.kb.cert.org/vuls/id/655100http://www.securityfocus.com/bid/19389http://www.us-cert.gov/cas/techalerts/TA06-220A.htmlhttp://www.vupen.com/english/advisories/2006/2553https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-045https://exchange.xforce.ibmcloud.com/vulnerabilities/27456https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A318
2006-06-28
Published