Vulnerabilities > CVE-2007-3902 - Resource Management Errors vulnerability in Microsoft IE and Internet Explorer

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-399

critical

nessus

NVD

Published: 2007-12-12

Updated: 2021-07-23

Summary

Use-after-free vulnerability in the CRecalcProperty function in mshtml.dll in Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code by calling the setExpression method and then modifying the outerHTML property of an HTML element, one variant of "Uninitialized Memory Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Internet Explorer 5 Microsoft Internet Explorer 5.2.3 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0.2600 Microsoft Internet Explorer 6.0.2800 Microsoft Internet Explorer 7.0 Microsoft Internet Explorer 7.0.5730.11 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 6 Microsoft Internet Explorer 7 Microsoft Internet Explorer 5.1 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 6.0.2800.1106 Microsoft Internet Explorer 6.0.2900 Microsoft Internet Explorer 6.0.2900.2180 Microsoft IE 5.X Microsoft IE 6.0	30

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS07-069.NASL
description	The remote host is missing the IE cumulative security update 942615. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host.
last seen	2020-06-01
modified	2020-06-02
plugin id	29313
published	2007-12-11
reporter	This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/29313
title	MS07-069: Cumulative Security Update for Internet Explorer (942615)
code	# # Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29313); script_version("1.36"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2007-0322", "CVE-2007-3902", "CVE-2007-3903", "CVE-2007-4471", "CVE-2007-5344", "CVE-2007-5347", "CVE-2007-6387" ); script_bugtraq_id(25544, 26427, 26506, 26815, 26816, 26817, 26819); script_xref(name:"MSFT", value:"MS07-069"); script_xref(name:"MSKB", value:"942615"); script_xref(name:"CERT", value:"907481"); script_xref(name:"CERT", value:"979638"); script_xref(name:"EDB-ID", value:"4825"); script_name(english:"MS07-069: Cumulative Security Update for Internet Explorer (942615)"); script_summary(english:"Determines the presence of update 942615"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through the web client."); script_set_attribute(attribute:"description", value: "The remote host is missing the IE cumulative security update 942615. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-069"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-073/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-074/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-075/"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003 and Vista."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(22, 94, 119, 189, 264, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/04"); script_set_attribute(attribute:"patch_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS07-069'; kb = '942615'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.20710", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:0, file:"Mshtml.dll", version:"7.0.6000.16587", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mshtml.dll", version:"6.0.3790.3041", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", sp:2, file:"Mshtml.dll", version:"6.0.3790.4186", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.20710", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.2", file:"Mshtml.dll", version:"7.0.6000.16587", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"6.0.2900.3243", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"7.0.6000.20710", min_version:"7.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mshtml.dll", version:"7.0.6000.16587", min_version:"7.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"6.0.2800.1605", min_version:"6.0.0.0", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Mshtml.dll", version:"5.0.3858.1100", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-02-24T04:03:19.117-05:00

class

vulnerability

contributors

name Jeff Ito
organization Secure Elements, Inc.
name Chandan S
organization SecPod Technologies
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Internet Explorer 5.01 SP4 is installed
oval oval:org.mitre.oval:def:325
comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP SP2 or later is installed
oval oval:org.mitre.oval:def:521
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 (x64) is installed
oval oval:org.mitre.oval:def:730
comment Microsoft Windows Server 2003 SP1 for Itanium is installed
oval oval:org.mitre.oval:def:1205
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP SP1 (64-bit) is installed
oval oval:org.mitre.oval:def:480
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Internet Explorer 6 is installed
oval oval:org.mitre.oval:def:563
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Internet Explorer 7 is installed
oval oval:org.mitre.oval:def:627

description

family

windows

oval:org.mitre.oval:def:4582

status

accepted

submitted

2007-12-12T14:22:00

title

Uninitialized Memory Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	CVE ID:CVE-2007-3902 CNCVE ID:CNCVE-20073902 Microsoft Internet Explorer是一款流行的WEB浏览器。 Microsoft Internet Explorer处理CRecalcProperty函数存在内存破坏问题，远程攻击者可以利用漏洞以应用程序进程权限执行任意指令。问题存在于mshtml.dll的CRecalcProperty函数中，当在调用setExpressio方法后渲染HTML，之后跟随编程化建立元素的outerHTML属性的修改，有问题代码会引用之前释放的内存地址而导致代码执行。 Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 - Citrix ICA Client for Windows 4.0 SP6a - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Datacenter Server - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server - Microsoft Windows 2000 Server - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP2 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services SP1 - Microsoft Windows 2000 Terminal Services - Microsoft Windows 2000 Terminal Services - Microsoft Windows 98 - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows ME - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6a + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows XP Home + Microsoft Windows XP Home + Microsoft Windows XP Professional + Microsoft Windows XP Professional Microsoft Internet Explorer 7.0 + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Ultimate + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Premium + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Home Basic + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Enterprise + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista Business + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 + Microsoft Windows Vista 0 补丁安装： Microsoft Internet Explorer 6.0 SP1 Microsoft IE6.0sp1-KB942615-Windows2000-x86-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=BC8EDF05-262A target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=BC8EDF05-262A</a> -4D1D-B196-4FC1A844970C&displaylang=en Microsoft WindowsXP-KB942615-x86-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4EBAFC-34C3 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4EBAFC-34C3</a> -4DC7-B712-152C611D3F0A&displaylang=en Microsoft Internet Explorer 6.0 Microsoft WindowsServer2003-KB942615-ia64-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=B3F390A6-0361 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=B3F390A6-0361</a> -4553-B627-5E7AD6BF5055&displaylang=en Microsoft WindowsServer2003-KB942615-x86-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=BF466060-A585 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=BF466060-A585</a> -4C2E-A48D-70E080C3BBE7&displaylang=en Microsoft WindowsServer2003.WindowsXP-KB942615-x64-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=074697F2-18C8 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=074697F2-18C8</a> -4521-BBF7-1D0E7395D27D&displaylang=en Microsoft WindowsServer2003.WindowsXP-KB942615-x64-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=F5A5AF23-30FB target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=F5A5AF23-30FB</a> -4E47-94BD-3B05B55C92F2 Microsoft WindowsXP-KB942615-x86-ENU.exe <a href=http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4EBAFC-34C3 target=_blank>http://www.microsoft.com/downloads/details.aspx?FamilyId=6E4EBAFC-34C3</a> -4DC7-B712-152C611D3F0A&displaylang=en
id	SSV:2592
last seen	2017-11-19
modified	2007-12-13
published	2007-12-13
reporter	Root
title	Microsoft Internet Explorer setExpression远程代码漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Seebug

References