CVE-2005-0063
published 2005-05-02CVE-2005-0063: The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
51.68%
98.8th percentile
The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect files with a modified CLSID that routes document processing to MSHTA (HTML Application Host) instead of the expected handler — a non-.hta file being opened by mshta.exe is highly suspicious. ↗
- →Look for files with the OLE Compound Document magic bytes (D0 CF 11 E0 A1 B1 1A E1) that contain embedded HTA/VBScript content — the PoC embeds a VBScript block inside an OLE-structured file. ↗
- →Scan for files with unusual or non-standard extensions (e.g., .DDD) that contain OLE compound document structure and embedded script content, as the exploit crafts such files to be executed by double-click. ↗
- →Detect the embedded VBScript/HTA pattern '<script language="VBScript">' inside OLE compound document files, which is the payload structure used by this exploit. ↗
- ·The exploit requires the victim to double-click the crafted file; it is not a drive-by or zero-interaction exploit. The CLSID in the file must be modified to point to MSHTA for the attack to succeed. ↗
- ·The attacker must supply a separate .hta payload file; the PoC tool (ms05016.exe) wraps it into the malicious compound document. Detection should cover both the wrapper file and the .hta payload. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111755356016155&w=2http://www.idefense.com/application/poi/display?id=231&type=vulnerabilitieshttp://www.securiteam.com/exploits/5YP0T0AFFW.htmlhttp://www.securityfocus.com/bid/13132http://www.vupen.com/english/advisories/2005/0335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2184https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3456https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A407https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4710https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A573https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A587http://marc.info/?l=bugtraq&m=111755356016155&w=2http://www.idefense.com/application/poi/display?id=231&type=vulnerabilitieshttp://www.securiteam.com/exploits/5YP0T0AFFW.htmlhttp://www.securityfocus.com/bid/13132http://www.vupen.com/english/advisories/2005/0335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2184https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3456https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A407https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4710https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A573https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A587
2005-05-02
Published