CVE-2005-0555
published 2005-04-12CVE-2005-0555: Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content…
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.36%
99.0th percentile
Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
EB 03 5D EB 05 E8 F8 FF FF FF 8B C5 83 C0 11 33
- →Malicious Content Advisor .rat file contains a PICS-version header with an oversized 'name' field (~1500 bytes of padding/shellcode) — detect .rat files where the 'name' field exceeds normal length bounds. ↗
- →Shellcode is placed at offset 500 within the name field buffer, preceded by a short JMP (\x90\xeb\xFF\x90) at offset 280 and a 4-byte return address at offset 284 — scan .rat files for NOP sleds followed by shellcode patterns in the name field. ↗
- →Successful exploitation results in EIP overwritten with 0x41414141 (crash case) or a CALL ESP gadget in wininet.dll — monitor for access violations in msrating.dll with EIP pointing into the stack or at known wininet.dll gadget addresses. ↗
- →Attack can be delivered via a malicious website or HTML email through Outlook/Outlook Express — monitor for .rat file downloads or email attachments with PICS-version content. ↗
- ·Exploitation requires user interaction — the victim must follow steps to install/open the malicious .rat file (double-click), limiting drive-by exploitation. ↗
- ·The provided return addresses (CALL ESP / JMP ESP gadgets in wininet.dll) are version- and SP-specific to Spanish Windows 2000 builds; offsets will differ on other locales/service packs and must be re-derived. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/14922/http://www.kb.cert.org/vuls/id/222050http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-020https://exchange.xforce.ibmcloud.com/vulnerabilities/19842https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2786https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3157https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3926https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4674http://secunia.com/advisories/14922/http://www.kb.cert.org/vuls/id/222050http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-020https://exchange.xforce.ibmcloud.com/vulnerabilities/19842https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2077https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2786https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3157https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3926https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4674
2005-04-12
Published