CVE-2005-1790
published 2005-06-01CVE-2005-1790: Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and…
PriorityP359low2.6CVSS 2.0
AVNACHAuNCNINAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.47%
99.6th percentile
Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit delivery by matching HTTP responses containing both a JavaScript 'onLoad' handler invoking 'window()' and multiple iframe elements used for heap spray via prompt() calls. ↗
- →Flag HTTP responses with 'Pragma: no-cache' and 'Content-Type: text/html' that also contain obfuscated JavaScript heap spray patterns (repeated unescape() calls with NOP sleds) targeting Internet Explorer 6. ↗
- →Inspect User-Agent strings for 'MSIE 6.0' combined with 'Windows NT 5.1' or 'Windows NT 5.0' as the exploit auto-targets these combinations and will only proceed against them. ↗
- →Monitor for iexplore.exe spawning child processes shortly after page load, consistent with the Metasploit post-exploitation 'migrate -f' auto-run script executing after successful shellcode delivery. ↗
- →Detect heap spray pattern: JavaScript using unescape() to build large NOP sled blocks with a headersize of 20 bytes prepended, characteristic of this exploit's two-stage heap spray technique. ↗
- →Alert on pages that open popup windows containing multiple hidden iframes (4 for XP targets, 8 for Windows 2000 targets) used to place shellcode return addresses via prompt() calls. ↗
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:N/A:P
vulncheck2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-368p-45pv-mjr9: Microsoft Internet Explorer 6 SP2 6
ghsa_unreviewed·2022-05-01
CVE-2005-1790 [LOW] GHSA-368p-45pv-mjr9: Microsoft Internet Explorer 6 SP2 6
Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
VulnCheck
Microsoft Internet Explorer Javascript BODY onload Vulnerability
vulncheck·2005·CVSS 2.6
CVE-2005-1790 [LOW] Microsoft Internet Explorer Javascript BODY onload Vulnerability
Microsoft Internet Explorer Javascript BODY onload Vulnerability
Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-055
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)
exploitdb·2012-01-14·CVSS 2.6
CVE-2005-1790 [LOW] Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)
Microsoft Internet Explorer - JavaScript OnLoad Handler Remote Code Execution (MS05-054) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability',
'Description' => %q{
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
conjunction with an improperly initialized 'window()' JavaScript function.
This exploit results in a call to an address lower than the heap. The javascript
prompt() places our shellcode near where the ca
Metasploit
MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
metasploit
MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111746394106172&w=2http://marc.info/?l=bugtraq&m=111755552306013&w=2http://secunia.com/advisories/15368http://secunia.com/advisories/15546http://secunia.com/advisories/18064http://secunia.com/advisories/18311http://securitytracker.com/id?1015251http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdfhttp://www.computerterrorism.com/research/ie/ct21-11-2005http://www.kb.cert.org/vuls/id/887861http://www.securityfocus.com/archive/1/417326/30/0/threadedhttp://www.securityfocus.com/bid/13799http://www.us-cert.gov/cas/techalerts/TA05-347A.htmlhttp://www.vupen.com/english/advisories/2005/2509http://www.vupen.com/english/advisories/2005/2867http://www.vupen.com/english/advisories/2005/2909http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-054https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1091https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1299https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1303https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1508https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A722http://marc.info/?l=bugtraq&m=111746394106172&w=2http://marc.info/?l=bugtraq&m=111755552306013&w=2http://secunia.com/advisories/15368http://secunia.com/advisories/15546http://secunia.com/advisories/18064http://secunia.com/advisories/18311http://securitytracker.com/id?1015251http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdfhttp://www.computerterrorism.com/research/ie/ct21-11-2005http://www.kb.cert.org/vuls/id/887861http://www.securityfocus.com/archive/1/417326/30/0/threadedhttp://www.securityfocus.com/bid/13799http://www.us-cert.gov/cas/techalerts/TA05-347A.htmlhttp://www.vupen.com/english/advisories/2005/2509http://www.vupen.com/english/advisories/2005/2867http://www.vupen.com/english/advisories/2005/2909http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-054https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1091https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1299https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1303https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1508https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A722
2005-06-01
Published
Exploited in the wild