CVE-2004-1050 - Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code

CVE-2004-1050

Summary

Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."

References

Vulnerable Configurations

cpe:2.3:a:avaya:ip600_media_servers:*:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:*:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r10:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r10:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r8:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r8:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r9:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r9:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s3400:*:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s3400:*:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r8:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r8:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r9:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r9:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r8:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r8:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r9:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r9:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r12:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r12:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r7:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r7:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:*:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:*:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r11:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r11:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:*:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:*:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r6:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r6:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r7:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r7:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r12:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r12:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r6:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r6:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r10:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r10:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r7:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r7:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r11:*:*:*:*:*:*:*
cpe:2.3:a:avaya:ip600_media_servers:r11:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r6:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r6:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r12:*:*:*:*:*:*:*
cpe:2.3:h:avaya:s8100:r12:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r10:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r10:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r11:*:*:*:*:*:*:*
cpe:2.3:h:avaya:definity_one_media_server:r11:*:*:*:*:*:*:*
cpe:2.3:o:avaya:modular_messaging_message_storage_server:s3400:*:*:*:*:*:*:*
cpe:2.3:o:avaya:modular_messaging_message_storage_server:s3400:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 23-07-2021 - 12:55)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

oval via4

accepted

2014-02-24T04:00:13.078-05:00

class

vulnerability

contributors

name Ingrid Skoog
organization The MITRE Corporation
name Ingrid Skoog
organization The MITRE Corporation
name Christine Walzer
organization The MITRE Corporation
name Matthew Wojcik
organization The MITRE Corporation
name Robert L. Hollis
organization ThreatGuard, Inc.
name Robert L. Hollis
organization ThreatGuard, Inc.
name Maria Mikhno
organization ALTX-SOFT

description

family

windows

oval:org.mitre.oval:def:1294

status

accepted

submitted

2005-01-05T05:00:00.000-04:00

title

IFRAME Vulnerability

version

refmap via4

bid

11515

bugtraq

20041024 python does mangleme (with IE bugs!)
20041102 MSIE and <FRAME> tag NAME property bufferoverflow PoC</li></ul></td></tr><tr><td>cert</td><td><ul class="via4"><li><a href='/link/refmap.cert/TA04-315A'> </a>TA04-315A</li><li><a href='/link/refmap.cert/TA04-336A'> </a>TA04-336A</li></ul></td></tr><tr><td>cert-vn</td><td><a href='/link/refmap.cert-vn/VU%2523842160'> </a>VU#842160</td></tr><tr><td>fulldisc</td><td><ul class="via4"><li><a href='/link/refmap.fulldisc/20041023%2Bpython%2Bdoes%2Bmangleme%2B%2528with%2BIE%2Bbugs%2521%2529'> </a>20041023 python does mangleme (with IE bugs!)</li><li><a href='/link/refmap.fulldisc/20041025%2Bpython%2Bdoes%2Bmangleme%2B%2528with%2BIE%2Bbugs%2521%2529'> </a>20041025 python does mangleme (with IE bugs!)</li></ul></td></tr><tr><td>secunia</td><td><a href='/link/refmap.secunia/12959'> </a>12959</td></tr><tr><td>xf</td><td><a href='/link/refmap.xf/ie-iframe-src-name-bo%252817889%2529'> </a>ie-iframe-src-name-bo(17889)</td></tr></table> </td> </tr> <tr> <td class="warning">saint <a href="https://github.com/CVE-Search/VIA4CVE/" target="_blank">via4</a> </td> <td class="info"> <table class="invisiTable"><tr><td>bid</td><td><a href='/link/saint.bid/11515'> </a>11515</td></tr><tr><td>description</td><td><a href='/link/saint.description/Internet%2BExplorer%2BIFRAME%2Bbuffer%2Boverflow'> </a>Internet Explorer IFRAME buffer overflow</td></tr><tr><td>id</td><td><a href='/link/saint.id/win_patch_ie_srcbo'> </a>win_patch_ie_srcbo</td></tr><tr><td>osvdb</td><td><a href='/link/saint.osvdb/11337'> </a>11337</td></tr><tr><td>title</td><td><a href='/link/saint.title/ie_iframe'> </a>ie_iframe</td></tr><tr><td>type</td><td><a href='/link/saint.type/client'> </a>client</td></tr></table> </td> </tr> <tr> <td class="warning">Last major update</td> <td class="info">23-07-2021 - 12:55</td> </tr> <tr> <td class="warning">Published</td> <td class="info">31-12-2004 - 05:00</td> </tr> <tr> <td class="warning">Last modified</td> <td class="info">23-07-2021 - 12:55</td> </tr> </tbody> </table> </div> <a href="#" class="back-to-top">Back to Top</a>  </div> </div> </div> </body> </html>