CVE-2004-1049 - Unspecified vulnerability in Microsoft products

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows NT * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows 2003 Server R2	9

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS05-002.NASL
description	The remote host contains a version of the Windows kernel that is affected by a security flaw in the way that cursors and icons are handled. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious web page and entice a victim to visit this web page. An attacker may send a malicious email to the victim to exploit this flaw too.
last seen	2020-06-01
modified	2020-06-02
plugin id	16124
published	2005-01-11
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/16124
title	MS05-002: Cursor and Icon Format Handling Code Execution (891711)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(16124); script_version("1.48"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2004-1049", "CVE-2004-1305", "CVE-2005-0416"); script_bugtraq_id(12095, 12233); script_xref(name:"MSFT", value:"MS05-002"); script_xref(name:"CERT", value:"625856"); script_xref(name:"CERT", value:"697136"); script_xref(name:"EDB-ID", value:"721"); script_xref(name:"MSKB", value:"891711"); script_name(english:"MS05-002: Cursor and Icon Format Handling Code Execution (891711)"); script_summary(english:"Checks version of User32.dll"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web or email client."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the Windows kernel that is affected by a security flaw in the way that cursors and icons are handled. An attacker may be able to execute arbitrary code on the remote host by constructing a malicious web page and entice a victim to visit this web page. An attacker may send a malicious email to the victim to exploit this flaw too."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-002"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-002'; kb = '891711'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"User32.dll", version:"5.2.3790.245", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:1, file:"User32.dll", version:"5.1.2600.1617", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"User32.dll", version:"5.0.2195.7017", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"4.0", file:"User32.dll", version:"4.0.1381.7342", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"4.0", file:"User32.dll", version:"4.0.1381.33630", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-05-16T04:02:40.130-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

family

windows

id

oval:org.mitre.oval:def:2956

status

accepted

submitted

2005-01-14T12:00:00.000-04:00

title

LoadImage Cursor and Icon Format Handling Vulnerability (XP)

version

70

accepted

2008-03-24T04:00:26.990-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.
name Jonathan Baker
organization The MITRE Corporation

definition_extensions

comment	Microsoft Windows NT is installed
oval	oval:org.mitre.oval:def:36

description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

family

windows

id

oval:org.mitre.oval:def:3097

status

accepted

submitted

2005-01-14T12:00:00.000-04:00

title

LoadImage Cursor and Icon Format Handling Vulnerability (Terminal Server)

version

73

accepted

2007-11-13T12:01:12.066-05:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.

description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

family

windows

id

oval:org.mitre.oval:def:3220

status

accepted

submitted

2005-01-14T12:00:00.000-04:00

title

LoadImage Cursor and Icon Format Handling Vulnerability (Server 2003)

version

67

accepted

2008-03-24T04:00:28.971-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name John Hoyland
organization Centennial Software
name Jeff Cheng
organization Opsware, Inc.
name Jonathan Baker
organization The MITRE Corporation

definition_extensions

comment	Microsoft Windows NT is installed
oval	oval:org.mitre.oval:def:36

description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

family

windows

id

oval:org.mitre.oval:def:3355

status

accepted

submitted

2005-01-14T12:00:00.000-04:00

title

LoadImage Cursor and Icon Format Handling Vulnerability (NT 4.0)

version

74

accepted

2011-05-16T04:03:02.877-04:00

class

vulnerability

contributors

name Christine Walzer
organization The MITRE Corporation
name Andrew Buttner
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.
name Shane Shaffer
organization G2, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

description

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

family

windows

id

oval:org.mitre.oval:def:4671

status

accepted

submitted

2005-01-14T12:00:00.000-04:00

title

LoadImage Cursor and Icon Format Handling Vulnerability (Windows 2000)

version

72

Saint

bid	12233
description	Windows Cursor and Icon handling vulnerability
id	win_patch_cursor
osvdb	12842
title	windows_cursor_icon
type	client

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:8979
last seen	2017-11-19
modified	2008-07-07
published	2008-07-07
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-8979
title	MS Internet Explorer .ANI files handling Downloader Exploit (MS05-002)

bulletinFamily	exploit
description	No description provided by source.
id	SSV:8977
last seen	2017-11-19
modified	2008-07-07
published	2008-07-07
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-8977
title	MS Internet Explorer .ANI files handling Universal Exploit (MS05-002)

Vulnerabilities > CVE-2004-1049 - Unspecified vulnerability in Microsoft products

Summary

Vulnerable Configurations

Nessus

Oval

Saint

Seebug

References