Vulnerabilities > CVE-2004-1050
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 | |
| Application | 2 | |
| Hardware | Avaya
| 17 |
| OS | 1 |
Exploit-Db
| description | MS Internet Explorer (IFRAME Tag) Buffer Overflow Exploit. CVE-2004-1050. Remote exploit for windows platform |
| id | EDB-ID:612 |
| last seen | 2016-01-31 |
| modified | 2004-11-02 |
| published | 2004-11-02 |
| reporter | Skylined |
| source | https://www.exploit-db.com/download/612/ |
| title | Microsoft Internet Explorer 6 - IFRAME Tag Buffer Overflow Exploit |
Nessus
NASL family Backdoors NASL id BOFRA_DETECT.NASL description The remote host seems to have been infected with the Bofra worm or one of its variants, which infects machines via an Internet Explorer IFRAME exploit. It is very likely this system has been compromised. last seen 2020-06-02 modified 2004-11-17 plugin id 15746 published 2004-11-17 reporter This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15746 title Microsoft IE FRAME/IFRAME/EMBED Tag Overflow (Bofra Worm Detection) code # # Bofra virus detection # # Author: Brian Smith-Sweeney ([email protected]) # http://www.smithsweeney.com # # Created: 11/15/04 # Last Updated: 11/15/04 # # See the Nessus Scripts License for details # include("compat.inc"); if (description) { script_id(15746); script_version("1.24"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id("CVE-2004-1050"); script_bugtraq_id(11515); script_name(english:"Microsoft IE FRAME/IFRAME/EMBED Tag Overflow (Bofra Worm Detection)"); script_summary(english:"Determines the presence of a Bofra worm infection resulting from an IFRAME exploit"); script_set_attribute(attribute:"synopsis", value:"The remote host is infected with a worm."); script_set_attribute(attribute:"description", value: "The remote host seems to have been infected with the Bofra worm or one of its variants, which infects machines via an Internet Explorer IFRAME exploit. It is very likely this system has been compromised."); script_set_attribute(attribute:"solution", value: "Verify that the remote system has been compromised, and re-install if necessary."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); # http://www.symantec.com/security_response/writeup.jsp?docid=2004-111113-3948-99 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?15ea74a4"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Backdoors"); script_dependencies('http_version.nasl'); script_require_ports(1639); exit(0); } # # User-defined variables # # This is where we saw Bofra; YMMV port=1639; # # End user-defined variables; you should not have to touch anything below this # # Get the appropriate http functions include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); if ( ! get_port_state ( port ) ) exit(0); # Prep & send the http get request, quit if you get no answer req = http_get(item:"/reactor",port:port); res = http_keepalive_send_recv(port:port, data:req); if ( res == NULL ) exit(0); hex_res=hexstr(res); if ("3c0049004600520041004d00450020005300520043003d00660069006c0065003a002f002f00" >< hex_res ) security_hole(port); else { if (egrep(pattern:"<IFRAME SRC=file://",string:res)){ security_hole(port); } }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-040.NASL description The remote host is running a version of Internet Explorer 6 SP1 that could allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to lure a victim on the remote system into visiting a rogue website. last seen 2020-06-01 modified 2020-06-02 plugin id 15894 published 2004-12-01 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15894 title MS04-040: Cumulative Security Update for Internet Explorer (889293)
Oval
| accepted | 2014-02-24T04:00:13.078-05:00 | ||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||
| description | Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." | ||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:1294 | ||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||
| submitted | 2005-01-05T05:00:00.000-04:00 | ||||||||||||||||||||||||||||
| title | IFRAME Vulnerability | ||||||||||||||||||||||||||||
| version | 11 |
Saint
| bid | 11515 |
| description | Internet Explorer IFRAME buffer overflow |
| id | win_patch_ie_srcbo |
| osvdb | 11337 |
| title | ie_iframe |
| type | client |
References
- http://www.securityfocus.com/bid/11515
- http://www.kb.cert.org/vuls/id/842160
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/028009.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/028035.html
- http://www.securityfocus.com/archive/1/379261
- http://www.us-cert.gov/cas/techalerts/TA04-315A.html
- http://www.us-cert.gov/cas/techalerts/TA04-336A.html
- http://secunia.com/advisories/12959/
- http://marc.info/?l=bugtraq&m=109942758911846&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17889
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1294
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-040