cbcvebase.
CVE-2006-1016
published 2006-03-07

CVE-2006-1016: Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote…

PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.67%
99.2th percentile
Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote attackers to execute arbitrary code via JavaScript that calls IsComponentInstalled with a long first argument.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlurl(#default#clientCaps)
commandisComponentInstalled( "<8192-byte pattern>" , "componentid" )
  • Detect HTTP responses containing the 'clientCaps' behavior combined with a call to 'isComponentInstalled' with an abnormally long first argument (>744 bytes) — characteristic of this exploit's overflow trigger.
  • Alert on JavaScript passing a string argument of ~8192 bytes to isComponentInstalled(); legitimate usage would never require such a large first argument.
  • The exploit uses randomized HTML variable names and whitespace (Rex::Text.randomize_space) to evade static signature matching; focus detection on the behavioral pattern (clientCaps + isComponentInstalled + long arg) rather than fixed strings.
  • The second argument to isComponentInstalled is always the literal string 'componentid' in this exploit; pairing this with a long first argument is a strong indicator.
  • Payload bad characters are null byte, backslash, LF, CR, and double-quote; shellcode in-the-wild for this CVE will not contain \x00\x5c\x0a\x0d\x22.
  • ·Exploit only affects Windows 2000 pre-SP4 and Windows XP pre-SP1 running Internet Explorer 6.0; patched systems are not vulnerable.
  • ·The Metasploit module only includes a single target (Windows XP SP0 / IE 6.0) with RET 0x71ab8e4a; other OS/SP combinations would require different return addresses and are not covered by this module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.