CVE-2004-0549
published 2004-08-06CVE-2004-0549: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.06%
99.0th percentile
The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of showModalDialog combined with a vbscript: location reassignment, which is the core exploit primitive for this CVE. ↗
- →Monitor HTTP responses whose Location: header value is prefixed with 'URL:' followed by an 'ms-its:' URI, indicating exploitation of the redirect-based attack vector. ↗
- →Alert on ActiveXObject instantiation of 'wscript.shell' from within browser script context (MSHTML/WebBrowser control), especially when followed by Run() calls to copy and execute files from UNC paths. ↗
- →Detect execScript calls used to inject and execute cross-frame code, a technique used to escape the modal dialog sandbox. ↗
- →Hunt for the Download.ject/Scob/Toofer malware family, which exploited this CVE via ADODB.Stream to drop payloads. ↗
- →Monitor for insertAdjacentHTML used to inject script content into cross-origin frames, a technique used in the shellscript.js stage of this exploit chain. ↗
- ·The exploit uses hidden dialog dimensions (dialogTop:-1000, dialogLeft:-1000, height/width of 1) to make the modal dialog invisible to the user; defenders should be aware this technique is designed to evade visual detection. ↗
- ·The exploit relies on a timed sequence of setTimeout calls (100ms, 101ms, 1000ms) to synchronize cross-frame injection; detection based solely on static content may miss the dynamic execution chain. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hx7-84c2-vv8q: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to ex
ghsa_unreviewed·2022-04-29
CVE-2004-0549 [HIGH] GHSA-2hx7-84c2-vv8q: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to ex
The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.
VulnCheck
Microsoft Internet Explorer showModalDialog Method Vulnerability
vulncheck·2004·CVSS 10.0
CVE-2004-0549 [CRITICAL] Microsoft Internet Explorer showModalDialog Method Vulnerability
Microsoft Internet Explorer showModalDialog Method Vulnerability
The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue
No detection rules found.
No writeups or analysis indexed.
http://62.131.86.111/analysis.htmhttp://archives.neohapsis.com/archives/fulldisclosure/2004-06/0031.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.htmlhttp://marc.info/?l=bugtraq&m=108786396622284&w=2http://marc.info/?l=bugtraq&m=108852642021426&w=2http://umbrella.name/originalvuln/msie/InsiderPrototype/http://www.kb.cert.org/vuls/id/713878http://www.us-cert.gov/cas/techalerts/TA04-163A.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-184A.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-212A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-025https://exchange.xforce.ibmcloud.com/vulnerabilities/16348https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1133https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A207https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A241https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A519http://62.131.86.111/analysis.htmhttp://archives.neohapsis.com/archives/fulldisclosure/2004-06/0031.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2004-06/0104.htmlhttp://marc.info/?l=bugtraq&m=108786396622284&w=2http://marc.info/?l=bugtraq&m=108852642021426&w=2http://umbrella.name/originalvuln/msie/InsiderPrototype/http://www.kb.cert.org/vuls/id/713878http://www.us-cert.gov/cas/techalerts/TA04-163A.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-184A.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-212A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-025https://exchange.xforce.ibmcloud.com/vulnerabilities/16348https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1133https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A207https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A241https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A519
2004-08-06
Published
Exploited in the wild