CVE-2010-0805
published 2010-03-31CVE-2010-0805: The Tabular Data Control (TDC) ActiveX control in Microsoft Internet Explorer 5.01 SP4, 6 on Windows XP SP2 and SP3, and 6 SP1 allows remote attackers to…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
80.60%
99.6th percentile
The Tabular Data Control (TDC) ActiveX control in Microsoft Internet Explorer 5.01 SP4, 6 on Windows XP SP2 and SP3, and 6 SP1 allows remote attackers to execute arbitrary code via a long URL (DataURL parameter) that triggers memory corruption in the CTDCCtl::SecurityCHeckDataURL function, aka "Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
author = "@d3t0n4t0r"
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = "true"
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}- →Heap spray pattern: exploit uses return address 0x0c0c0c0c repeated and doubled in a loop — look for this value in memory or network content. ↗
- →Metasploit module sets InitialAutoRunScript to 'migrate -f', causing the payload process to migrate immediately after execution — monitor for unexpected process migration behaviour following iexplore.exe activity. ↗
- →Vulnerability is triggered via the DataURL parameter of the TDC ActiveX control; a long URL value causes a NUL byte write outside array bounds in CTDCCtl::SecurityCHeckDataURL — flag unusually long DataURL attribute values in HTML. ↗
- ·Exploit only affects Internet Explorer 5.01 SP4, IE 6 on Windows XP SP2/SP3, and IE 6 SP1; later IE versions are not listed as vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt
suricata·2010-07-30
CVE-2010-0805 ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt
ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9
YARA
MSIETabularActivex
yara·CVSS 9.3
CVE-2010-0805 [CRITICAL] MSIETabularActivex
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
author = "@d3t0n4t0r"
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = "true"
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}
Exploit-DB
Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (MS10-018) (Metasploit)
exploitdb·2010-04-30
CVE-2010-0805 Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (MS10-018) (Metasploit)
Microsoft Internet Explorer - Tabular Data Control ActiveX Memory Corruption (MS10-018) (Metasploit)
---
##
# $Id: ms10_018_ie_tabular_activex.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability in the Internet Explorer
Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet
Explorer are vulnerable.
By specifying a long value as the "DataU
Exploit-DB
Microsoft Internet Explorer Tabular Data Control - ActiveX Remote Code Execution
exploitdb·2010-04-03·CVSS 9.3
CVE-2010-0805 [CRITICAL] Microsoft Internet Explorer Tabular Data Control - ActiveX Remote Code Execution
Microsoft Internet Explorer Tabular Data Control - ActiveX Remote Code Execution
---
# CVE : CVE-2010-0805
Trigger for ZDI-10-034 by ZSploit.com
The ZSploit Team
Metasploit
MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
metasploit
MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
MS10-018 Microsoft Internet Explorer Tabular Data Control ActiveX Memory Corruption
This module exploits a memory corruption vulnerability in the Internet Explorer Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet Explorer are vulnerable. By specifying a long value as the "DataURL" parameter to this control, it is possible to write a NUL byte outside the bounds of an array. By targeting control flow data on the stack, an attacker can execute arbitrary code.
No writeups or analysis indexed.
http://securitytracker.com/id?1023773http://www.securityfocus.com/archive/1/510507/100/0/threadedhttp://www.securityfocus.com/bid/39025http://www.us-cert.gov/cas/techalerts/TA10-068A.htmlhttp://www.us-cert.gov/cas/techalerts/TA10-089A.htmlhttp://www.vupen.com/english/advisories/2010/0744http://www.zerodayinitiative.com/advisories/ZDI-10-034https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-018https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8080http://securitytracker.com/id?1023773http://www.securityfocus.com/archive/1/510507/100/0/threadedhttp://www.securityfocus.com/bid/39025http://www.us-cert.gov/cas/techalerts/TA10-068A.htmlhttp://www.us-cert.gov/cas/techalerts/TA10-089A.htmlhttp://www.vupen.com/english/advisories/2010/0744http://www.zerodayinitiative.com/advisories/ZDI-10-034https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-018https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8080
2010-03-31
Published