Vulnerabilities > CVE-2007-1749 - Unspecified vulnerability in Microsoft Internet Explorer 5.01/6/7

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

critical

nessus

exploit available

NVD

Published: 2007-08-14

Updated: 2021-07-23

Summary

Integer underflow in the CDownloadSink class code in the Vector Markup Language (VML) component (VGX.DLL), as used in Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code via compressed content with an invalid buffer size, which triggers a heap-based buffer overflow.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 7 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 6	3

Exploit-Db

description	Microsoft Internet Explorer 5.0.1 Vector Markup Language VGX.DLL Remote Buffer Overflow Vulnerability. CVE-2007-1749. Dos exploit for windows platform
id	EDB-ID:30494
last seen	2016-02-03
modified	2007-08-14
published	2007-08-14
reporter	Ben Nagy and Derek Soeder
source	https://www.exploit-db.com/download/30494/
title	Microsoft Internet Explorer 5.0.1 Vector Markup Language VGX.DLL Remote Buffer Overflow Vulnerability

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-050.NASL
description	The remote host is running a version of Internet Explorer or Outlook Express with a bug in the Vector Markup Language (VML) handling routine that may allow an attacker execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue website.
last seen	2020-06-01
modified	2020-06-02
plugin id	25886
published	2007-08-14
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/25886
title	MS07-050: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25886); script_version("1.35"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2007-1749"); script_bugtraq_id(25310); script_xref(name:"IAVA", value:"2007-A-0045"); script_xref(name:"MSFT", value:"MS07-050"); script_xref(name:"MSKB", value:"938127"); script_xref(name:"CERT", value:"468800"); script_xref(name:"EDB-ID", value:"30494"); script_name(english:"MS07-050: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)"); script_summary(english:"Determines the presence of update 938127"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the email client or the web browser."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Internet Explorer or Outlook Express with a bug in the Vector Markup Language (VML) handling routine that may allow an attacker execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue website."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-050"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-050'; kb = '938127'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); dir = hotfix_get_commonfilesdir(); if (!dir) exit(1, "Failed to get the Common Files directory."); share = hotfix_path2share(path:dir); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Vgx.dll", version:"7.0.6000.16513", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Vgx.dll", version:"7.0.6000.20628", min_version:"7.0.6000.20000", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, arch:"x86", file:"Vgx.dll", version:"6.0.3790.2963", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x86", file:"Vgx.dll", version:"6.0.3790.4107", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x86", file:"Vgx.dll", version:"6.0.3790.4106", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Vgx.dll", version:"7.0.6000.20628", min_version:"7.0.0.0", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Vgx.dll", version:"6.0.2900.3164", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Vgx.dll", version:"7.0.6000.20628", min_version:"7.0.0.0", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:3, file:"Vgx.dll", version:"7.0.6000.20628", min_version:"7.0.0.0", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"6.0.2800.1599", min_version:"6.0.0.0", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"5.0.3854.2500", dir:"\Microsoft Shared\VGX", path:dir, bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-02-24T04:00:23.873-05:00

class

vulnerability

contributors

name Robert L. Hollis
organization ThreatGuard, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Clifford Farrugia
organization GFI Software
name Chandan S
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Internet Explorer 5.01 SP4 is installed
oval oval:org.mitre.oval:def:325
comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP SP2 or later is installed
oval oval:org.mitre.oval:def:521
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP SP2 or later is installed
oval oval:org.mitre.oval:def:521
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows XP SP1 (64-bit) is installed
oval oval:org.mitre.oval:def:480
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows XP SP1 (64-bit) is installed
oval oval:org.mitre.oval:def:480
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 SP1 for Itanium is installed
oval oval:org.mitre.oval:def:1205
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627
comment Microsoft Windows Vista is installed
oval oval:org.mitre.oval:def:228
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627

description

family

windows

oval:org.mitre.oval:def:1784

status

accepted

submitted

2007-08-15T09:28:35

title

VML Buffer Overrun Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 25310 CVE(CAN) ID: CVE-2007-1749 Internet Explorer是微软发布的非常流行的WEB浏览器。 IE的VML在处理压缩的数据时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞控制用户系统。 VGX.DLL是IE中负责渲染VML的组件，该组件中的CDownloadSink类实现处理从VML中内嵌URL所下载的数据。例如，以下VML会下载由VGX.DLL!CDownloadSink::OnDataAvailable处理的额外内容： <v:rect> <v:imagedata src="http://malice/compressed.emz"> </v:rect> 由于在处理压缩内容时错误的报告了缓冲区大小，VGX.DLL!CDownloadSink::OnDataAvailable中存在整数溢出漏洞，最终会导致URLMON.DLL!CMimeFt::SmartRead溢出堆缓冲区。传送到CDownloadSink::OnDataAvailable的第二个参数（[EBP+10h]）是接收到所有原始压缩数据的整个长度，但函数在计算将要传送给URLMON.DLL!CReadOnlyStreamDirect::Read的读取限制时会从原始数据的整个长度减去缓冲区中非压缩数据的整个长度。如果未压缩的数据大于压缩数据的话，就会出现整数下溢，导致将很大的值（大约4GB）用作读取限制。如果之后读取的数据数量超过了缓冲区中未使用空间的数量，就会导致堆溢出。利用这个漏洞要求至少调用两次CDownloadSink::OnDataAvailable，一次用一些非0长度的未压缩数据加载缓冲区，另一次导致溢出，因此必须分别独立的接收压缩数据。但这种接收数据的方式可能是合法的，因此即使合法的站点也可能触发非恶意的堆溢出。 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 5.01 临时解决方法： * 注销VGX.DLL 1. 依次单击“开始”、“运行”，键入"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"，然后单击“确定”。 2. 此时将出现一个对话框，确认注销过程已成功完成。单击“确定”关闭对话框。 * 将Internet和本地Intranet安全区设置为“高”以在运行ActiveX控件和活动脚本之前要求提示。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS07-050）以及相应补丁: MS07-050：Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127) 链接：<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-050.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS07-050.mspx?pf=true</a>
id	SSV:2123
last seen	2017-11-19
modified	2007-08-17
published	2007-08-17
reporter	Root
title	Microsoft IE向量标记语言VGX.DLL远程堆溢出漏洞（MS07-050）

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

Seebug

References