Vulnerabilities > CVE-2004-1043 - Unspecified vulnerability in Microsoft Internet Explorer and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 1 |
Exploit-Db
| description | MS Internet Explorer (<= XP SP2) HTML Help Control Local Zone Bypass. CVE-2004-1043. Remote exploit for windows platform |
| id | EDB-ID:719 |
| last seen | 2016-01-31 |
| modified | 2004-12-25 |
| published | 2004-12-25 |
| reporter | Paul |
| source | https://www.exploit-db.com/download/719/ |
| title | Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-072.NASL description A number of vulnerabilities are addressed in this PHP update : Stefano Di Paolo discovered integer overflows in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 18091 published 2005-04-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18091 title Mandrake Linux Security Advisory : php (MDKSA-2005:072) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:072. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(18091); script_version ("1.20"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-1018", "CVE-2004-1063", "CVE-2004-1064", "CVE-2005-0524", "CVE-2005-0525", "CVE-2005-1042", "CVE-2005-1043"); script_xref(name:"MDKSA", value:"2005:072"); script_name(english:"Mandrake Linux Security Advisory : php (MDKSA-2005:072)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A number of vulnerabilities are addressed in this PHP update : Stefano Di Paolo discovered integer overflows in PHP's pack(), unpack(), and shmop_write() functions which could allow a malicious script to break out of safe mode and execute arbitrary code with privileges of the PHP interpreter (CVE-2004-1018; this was previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151). Stefan Esser discovered two safe mode bypasses which would allow malicious scripts to circumvent path restrictions by using virtual_popen() with a current directory containing shell meta- characters (CVE-2004-1063) or by creating a specially crafted directory whose length exceeded the capacity of realpath() (CVE-2004-1064; both of these were previously fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151). Two Denial of Service vulnerabilities were found in the getimagesize() function which uses the format-specific internal functions php_handle_iff() and php_handle_jpeg() which would get stuck in infinite loops when certain (invalid) size parameters are read from the image (CVE-2005-0524 and CVE-2005-0525). An integer overflow was discovered in the exif_process_IFD_TAG() function in PHP's EXIF module. EXIF tags with a specially crafted 'Image File Directory' (IFD) tag would cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the PHP server (CVE-2005-1042). Another vulnerability in the EXIF module was also discovered where headers with a large IFD nesting level would cause an unbound recursion which would eventually overflow the stack and cause the executed program to crash (CVE-2004-1043). All of these issues are addressed in the Corporate Server 2.1 packages and the last three issues for all other platforms, which had previously included the first two issues but had not been mentioned in MDKSA-2004:151." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64php_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libphp_common432"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:php432-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64php_common432-4.3.4-4.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libphp_common432-4.3.4-4.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php-cgi-4.3.4-4.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php-cli-4.3.4-4.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"php432-devel-4.3.4-4.5.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64php_common432-4.3.8-3.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libphp_common432-4.3.8-3.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"php-cgi-4.3.8-3.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"php-cli-4.3.8-3.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"php432-devel-4.3.8-3.3.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"lib64php_common432-4.3.10-7.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"i386", reference:"libphp_common432-4.3.10-7.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-cgi-4.3.10-7.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php-cli-4.3.10-7.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"php432-devel-4.3.10-7.1.102mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-001.NASL description The remote host contains a version of the HTML Help ActiveX control that could allow an attacker to execute arbitrary code on the remote host by constructing a malicious web page and entice a victim to visit this web page. last seen 2020-06-01 modified 2020-06-02 plugin id 16123 published 2005-01-11 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16123 title MS05-001: HTML Help Code Execution (890175) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(16123); script_version("1.41"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2004-1043"); script_bugtraq_id(11467); script_xref(name:"MSFT", value:"MS05-001"); script_xref(name:"CERT", value:"972415"); script_xref(name:"EDB-ID", value:"719"); script_xref(name:"MSKB", value:"890175"); script_name(english:"MS05-001: HTML Help Code Execution (890175)"); script_summary(english:"Checks version of Hhctrl.ocx"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web client."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the HTML Help ActiveX control that could allow an attacker to execute arbitrary code on the remote host by constructing a malicious web page and entice a victim to visit this web page."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-001"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/27"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-001'; kb = '890175'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'4,6', win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Hhctrl.ocx", version:"5.2.3790.233", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Hhctrl.ocx", version:"5.2.3790.233", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"Hhctrl.ocx", version:"5.2.3790.1280", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Hhctrl.ocx", version:"5.2.3790.233", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Hhctrl.ocx", version:"5.2.3790.233", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2005-06-01T03:30:00.000-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation description Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." family windows id oval:org.mitre.oval:def:1349 status accepted submitted 2005-03-30T12:00:00.000-04:00 title Server 2003 IE HTML Help ActiveX control Cross Domain Vulnerability version 64 accepted 2011-05-16T04:02:10.588-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name Brendan Miles organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." family windows id oval:org.mitre.oval:def:1963 status accepted submitted 2005-03-30T12:00:00.000-04:00 title Windows XP IE HTML Help ActiveX control Cross Domain Vulnerability version 70 accepted 2005-05-04T12:33:00.000-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name Matthew Burton organization The MITRE Corporation name Matthew Burton organization The MITRE Corporation
description Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." family windows id oval:org.mitre.oval:def:2830 status accepted submitted 2005-02-10T12:00:00.000-04:00 title Windows 2000 IE HTML Help ActiveX control Cross Domain Vulnerability version 64 accepted 2008-03-24T04:00:29.486-04:00 class vulnerability contributors name Matthew Burton organization The MITRE Corporation name John Hoyland organization Centennial Software name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." family windows id oval:org.mitre.oval:def:3496 status accepted submitted 2005-03-30T12:00:00.000-04:00 title Windows NT IE HTML Help ActiveX control Cross Domain Vulnerability version 72
Packetstorm
| data source | https://packetstormsecurity.com/files/download/148307/msiehhlz-bypass.txt |
| id | PACKETSTORM:148307 |
| last seen | 2018-06-27 |
| published | 2018-06-26 |
| reporter | Eduardo Braun Prado |
| source | https://packetstormsecurity.com/files/148307/Microsoft-Internet-Explorer-HTML-Help-Control-4.74-Bypass.html |
| title | Microsoft Internet Explorer HTML Help Control 4.74 Bypass |
References
- http://archives.neohapsis.com/archives/bugtraq/2004-12/0426.html
- http://www.us-cert.gov/cas/techalerts/TA05-012B.html
- http://www.kb.cert.org/vuls/id/972415
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18311
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3496
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2830
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1963
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1349
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-001