Vulnerabilities > CVE-2005-2829 - Unspecified vulnerability in Microsoft IE and Internet Explorer

047910
CVSS 5.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
high complexity
microsoft
nessus
NVD
Published: 2005-12-14
Updated: 2021-07-23

Summary

Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
4

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-054.NASL
descriptionThe remote host is missing IE Cumulative Security Update 905915. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id20299
published2005-12-13
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20299
titleMS05-054: Cumulative Security Update for Internet Explorer (905915)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20299);
 script_version("1.53");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id(
  "CVE-2005-1790",
  "CVE-2005-2829",
  "CVE-2005-2830",
  "CVE-2005-2831",
  "CVE-2006-0057"
 );
 script_bugtraq_id(13799, 15823, 15825, 15827, 16409);
 script_xref(name:"MSFT", value:"MS05-054");
 script_xref(name:"CERT", value:"887861");
 script_xref(name:"CERT", value:"998297");
 script_xref(name:"EDB-ID", value:"18365");
 script_xref(name:"MSKB", value:"905915");

 script_name(english:"MS05-054: Cumulative Security Update for Internet Explorer (905915)");
 script_summary(english:"Determines the presence of update 905915");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web
client.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing IE Cumulative Security Update 905915.

The remote version of IE is vulnerable to several flaws that could allow
an attacker to execute arbitrary code on the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-054");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/21");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/12/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl","smb_nt_ms05-038.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-054';
kb = '905915';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Mshtml.dll", version:"6.0.3790.449", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mshtml.dll", version:"6.0.3790.2577", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Mshtml.dll", version:"6.0.2800.1528", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"6.0.2900.2802", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"6.0.2800.1528", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3835.2200", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2014-02-24T04:00:10.650-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1209
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleServer 2003,SP1 File Download Dialog Box Manipulation Vulnerability
    version71
  • accepted2014-02-24T04:00:15.287-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1340
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleWinXP,SP1 (64-bit) File Download Dialog Box Manipulation Vulnerability
    version71
  • accepted2014-02-24T04:00:17.699-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1458
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleServer 2003 File Download Dialog Box Manipulation Vulnerability
    version70
  • accepted2014-02-24T04:00:18.180-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1490
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleWin2K,SP4 File Download Dialog Box Manipulation Vulnerability
    version71
  • accepted2014-02-24T04:00:18.348-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1505
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleWin2K/XP,SP1 File Download Dialog Box Manipulation Vulnerability
    version71
  • accepted2014-02-24T04:00:18.684-05:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMultiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1507
    statusaccepted
    submitted2005-12-13T12:00:00.000-04:00
    titleWinXP,SP2 File Download Dialog Box Manipulation Vulnerability
    version72

References