CVE-2006-1016
published 2006-03-07CVE-2006-1016: Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.67%
99.2th percentile
Buffer overflow in the IsComponentInstalled method in Internet Explorer 6.0, when used on Windows 2000 before SP4 or Windows XP before SP1, allows remote attackers to execute arbitrary code via JavaScript that calls IsComponentInstalled with a long first argument.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP responses containing the 'clientCaps' behavior combined with a call to 'isComponentInstalled' with an abnormally long first argument (>744 bytes) — characteristic of this exploit's overflow trigger. ↗
- →Alert on JavaScript passing a string argument of ~8192 bytes to isComponentInstalled(); legitimate usage would never require such a large first argument. ↗
- →The exploit uses randomized HTML variable names and whitespace (Rex::Text.randomize_space) to evade static signature matching; focus detection on the behavioral pattern (clientCaps + isComponentInstalled + long arg) rather than fixed strings. ↗
- →The second argument to isComponentInstalled is always the literal string 'componentid' in this exploit; pairing this with a long first argument is a strong indicator. ↗
- →Payload bad characters are null byte, backslash, LF, CR, and double-quote; shellcode in-the-wild for this CVE will not contain \x00\x5c\x0a\x0d\x22. ↗
- ·Exploit only affects Windows 2000 pre-SP4 and Windows XP pre-SP1 running Internet Explorer 6.0; patched systems are not vulnerable. ↗
- ·The Metasploit module only includes a single target (Windows XP SP0 / IE 6.0) with RET 0x71ab8e4a; other OS/SP combinations would require different return addresses and are not covered by this module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - isComponentInstalled Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-1016 Microsoft Internet Explorer - isComponentInstalled Overflow (Metasploit)
Microsoft Internet Explorer - isComponentInstalled Overflow (Metasploit)
---
##
# $Id: ie_iscomponentinstalled.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer isComponentInstalled Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Internet Explorer. This bug was
patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hdm',
],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2006-1016' ],
[ 'O
Metasploit
Microsoft Internet Explorer isComponentInstalled Overflow
metasploit
Microsoft Internet Explorer isComponentInstalled Overflow
Microsoft Internet Explorer isComponentInstalled Overflow
This module exploits a stack buffer overflow in Internet Explorer. This bug was patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
No writeups or analysis indexed.
http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalledhttp://www.metasploit.com/projects/Framework/modules/exploits/ie_iscomponentinstalled.pmhttp://www.securityfocus.com/bid/16870https://exchange.xforce.ibmcloud.com/vulnerabilities/24923http://metasploit.com/projects/Framework/exploits.html#ie_iscomponentinstalledhttp://www.metasploit.com/projects/Framework/modules/exploits/ie_iscomponentinstalled.pmhttp://www.securityfocus.com/bid/16870https://exchange.xforce.ibmcloud.com/vulnerabilities/24923
2006-03-07
Published