Vulnerabilities > CVE-2004-1050

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
avaya
microsoft
critical
nessus
exploit available

Summary

Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."

Exploit-Db

descriptionMS Internet Explorer (IFRAME Tag) Buffer Overflow Exploit. CVE-2004-1050. Remote exploit for windows platform
idEDB-ID:612
last seen2016-01-31
modified2004-11-02
published2004-11-02
reporterSkylined
sourcehttps://www.exploit-db.com/download/612/
titleMicrosoft Internet Explorer 6 - IFRAME Tag Buffer Overflow Exploit

Nessus

  • NASL familyBackdoors
    NASL idBOFRA_DETECT.NASL
    descriptionThe remote host seems to have been infected with the Bofra worm or one of its variants, which infects machines via an Internet Explorer IFRAME exploit. It is very likely this system has been compromised.
    last seen2020-06-02
    modified2004-11-17
    plugin id15746
    published2004-11-17
    reporterThis script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15746
    titleMicrosoft IE FRAME/IFRAME/EMBED Tag Overflow (Bofra Worm Detection)
    code
    #
    # Bofra virus detection
    #
    # Author: Brian Smith-Sweeney ([email protected])
    # http://www.smithsweeney.com
    #
    # Created: 11/15/04
    # Last Updated: 11/15/04
    #
    # See the Nessus Scripts License for details
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15746);
      script_version("1.24");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");
    
      script_cve_id("CVE-2004-1050");
      script_bugtraq_id(11515);
    
      script_name(english:"Microsoft IE FRAME/IFRAME/EMBED Tag Overflow (Bofra Worm Detection)");
      script_summary(english:"Determines the presence of a Bofra worm infection resulting from an IFRAME exploit");
    
      script_set_attribute(attribute:"synopsis", value:"The remote host is infected with a worm.");
      script_set_attribute(attribute:"description", value:
    "The remote host seems to have been infected with the Bofra worm or one
    of its variants, which infects machines via an Internet Explorer IFRAME
    exploit.  It is very likely this system has been compromised.");
      script_set_attribute(attribute:"solution", value:
    "Verify that the remote system has been compromised, and re-install if
    necessary.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      # http://www.symantec.com/security_response/writeup.jsp?docid=2004-111113-3948-99
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?15ea74a4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/17");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Backdoors");
    
      script_dependencies('http_version.nasl');
      script_require_ports(1639);
      exit(0);
    }
    
    #
    # User-defined variables
    #
    # This is where we saw Bofra; YMMV
    port=1639;
    
    #
    # End user-defined variables; you should not have to touch anything below this
    #
    
    # Get the appropriate http functions
    include("global_settings.inc");
    include("http_func.inc");
    include("http_keepalive.inc");
    
    
    if ( ! get_port_state ( port ) ) exit(0);
    
    # Prep & send the http get request, quit if you get no answer
    req = http_get(item:"/reactor",port:port);
    res = http_keepalive_send_recv(port:port, data:req);
    if ( res == NULL ) exit(0);
    hex_res=hexstr(res);
    if ("3c0049004600520041004d00450020005300520043003d00660069006c0065003a002f002f00" >< hex_res )
    	security_hole(port);
    else {
    	if (egrep(pattern:"<IFRAME SRC=file://",string:res)){
    		security_hole(port);
    	}
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS04-040.NASL
    descriptionThe remote host is running a version of Internet Explorer 6 SP1 that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to lure a victim on the remote system into visiting a rogue website.
    last seen2020-06-01
    modified2020-06-02
    plugin id15894
    published2004-12-01
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15894
    titleMS04-040: Cumulative Security Update for Internet Explorer (889293)

Oval

accepted2014-02-24T04:00:13.078-05:00
classvulnerability
contributors
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameChristine Walzer
    organizationThe MITRE Corporation
  • nameMatthew Wojcik
    organizationThe MITRE Corporation
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
descriptionHeap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."
familywindows
idoval:org.mitre.oval:def:1294
statusaccepted
submitted2005-01-05T05:00:00.000-04:00
titleIFRAME Vulnerability
version11

Saint

bid11515
descriptionInternet Explorer IFRAME buffer overflow
idwin_patch_ie_srcbo
osvdb11337
titleie_iframe
typeclient