ID CVE-2005-1790
Summary Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • Microsoft Internet Explorer 6.0.2800.1106
    cpe:2.3:a:microsoft:ie:6.0.2800.1106
  • Microsoft Internet Explorer 6.0.2900.2180
    cpe:2.3:a:microsoft:ie:6.0.2900.2180
CVSS
Base: 2.6 (as of 01-06-2005 - 15:36)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
exploit-db via4
description Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability. CVE-2005-1790. Remote exploit for windows platform
id EDB-ID:18365
last seen 2016-02-02
modified 2012-01-14
published 2012-01-14
reporter metasploit
source https://www.exploit-db.com/download/18365/
title Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
metasploit via4
description This bug is triggered when the browser handles a JavaScript 'onLoad' handler in conjunction with an improperly initialized 'window()' JavaScript function. This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address. We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes. Also, please note that Internet Explorer must allow popups in order to continue exploitation.
id MSF:EXPLOIT/WINDOWS/BROWSER/MS05_054_ONLOAD
last seen 2019-03-17
modified 2017-10-05
published 2012-01-06
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms05_054_onload.rb
title MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
nessus via4
NASL family Windows : Microsoft Bulletins
NASL id SMB_NT_MS05-054.NASL
description The remote host is missing IE Cumulative Security Update 905915. The remote version of IE is vulnerable to several flaws that could allow an attacker to execute arbitrary code on the remote host.
last seen 2019-02-21
modified 2018-11-15
plugin id 20299
published 2005-12-13
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=20299
title MS05-054: Cumulative Security Update for Internet Explorer (905915)
oval via4
  • accepted 2014-02-24T04:00:07.563-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1091
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title Server 2003 IE Mismatched Document Object Memory Corruption Vulnerability
    version 70
  • accepted 2014-02-24T04:00:13.361-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Dragos Prisaca
      organization Gideon Technologies, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1299
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title WinXP,SP2 IE Mismatched Document Object Memory Corruption Vulnerability
    version 71
  • accepted 2014-02-24T04:00:13.568-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1303
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title WinXP,SP1 (64-bit) IE Mismatched Document Object Memory Corruption Vulnerability
    version 70
  • accepted 2014-02-24T04:00:17.981-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Anna Min
      organization BigFix, Inc
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1489
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title Win2k,SP4 IE Mismatched Document Object Memory Corruption Vulnerability
    version 70
  • accepted 2014-02-24T04:00:18.888-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Jonathan Baker
      organization The MITRE Corporation
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Jeff Cheng
      organization Opsware, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:1508
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title Server 2003,SP1 IE Mismatched Document Object Memory Corruption Vulnerability
    version 71
  • accepted 2014-02-24T04:03:26.143-05:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    description Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."
    family windows
    id oval:org.mitre.oval:def:722
    status accepted
    submitted 2005-11-11T12:00:00.000-04:00
    title Win2K/XP,SP1 IE Mismatched Document Object Memory Corruption Vulnerability
    version 70
packetstorm via4
data source https://packetstormsecurity.com/files/download/108617/ms05_054_onload.rb.txt
id PACKETSTORM:108617
last seen 2016-12-05
published 2012-01-13
reporter Benjamin Tobias Franz
source https://packetstormsecurity.com/files/108617/Microsoft-Internet-Explorer-JavaScript-OnLoad-Handler-Remote-Code-Execution.html
title Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
refmap via4
bid 13799
bugtraq
  • 20050528 Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
  • 20050530 Re: Microsoft Internet Explorer - Crash on JavaScript "window()"-calling (05/28/2005)
  • 20051121 Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explorer JavaScript Window() Vulnerability
cert TA05-347A
cert-vn VU#887861
confirm http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf
misc
ms MS05-054
sectrack 1015251
secunia
  • 15368
  • 15546
  • 18064
  • 18311
vupen
  • ADV-2005-2509
  • ADV-2005-2867
  • ADV-2005-2909
saint via4
bid 13799
description Internet Explorer onload window vulnerability
id win_patch_ie_jsvul
osvdb 17094
title ie_onload_window
type client
Last major update 17-10-2016 - 23:22
Published 01-06-2005 - 00:00
Last modified 19-10-2018 - 11:31
Back to Top