10 - MS05-026

Executive Summary

Informations
Name	MS05-026	First vendor Publication	N/A
Vendor	Microsoft	Last vendor Modification	N/A
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability in HTML Help Could Allow Remote Code Execution (896358)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:1057

Oval ID:	oval:org.mitre.oval:def:1057
Title:	Windows XP HTML Help Remote Code Execution Vulnerability
Description:	Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2005-1208	Version:	8
Platform(s):	Microsoft Windows XP	Product(s):	HTML Help Facility
Definition Synopsis:
Windows XP is installed AND a vulnerable version of hh.exe exists for specific Windows configurations a vulnerable version of hh.exe exists 32-bit version of Windows or 64-bit (itanium architecture) version of Windows is installed 32-Bit version of Windows is installed AND a version of Windows for the ia64 architecture is installed AND NOT Win2K/XP/2003 service pack 2 (or later) is installed AND the version of hh.exe is less than 5.2.3790.315 OR for 32-bit Windows with sp2 a vulnerable version of hh.exe exists 32-Bit version of Windows is installed AND Win2K/XP/2003/Vista/2008 Service Pack 2 is installed AND the version of hh.exe is less than 5.2.3790.2453 OR for 64-bit (x64 arch) Windows (gold edition) a vulnerable version of hh.exe exists 64-Bit (x64 architecture) version of Windows is installed AND NOT Win2K/XP/2003 is patched AND the version of hh.exe is less than 5.2.3790.2435 AND NOT the patch kb896358 is installed (Hotfix key)

Definition Id: oval:org.mitre.oval:def:381

Oval ID:	oval:org.mitre.oval:def:381
Title:	Server 2003 HTML Help Remote Code Execution Vulnerability
Description:	Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2005-1208	Version:	5
Platform(s):	Microsoft Windows Server 2003	Product(s):	HTML Help Facility
Definition Synopsis:
Windows Server 2003 is installed AND a vulnerable version of hh.exe exists for specific Windows configurations a vulnerable version of hh.exe exists 32-bit version of Windows or 64-bit (itanium architecture) version of Windows is installed 32-Bit version of Windows is installed AND a version of Windows for the ia64 architecture is installed AND NOT Win2K/XP/2003 is patched AND the version of hh.exe is less than 5.2.3790.315 OR for specific Windows configurations a vulnerable version of hh.exe exists 32-bit version of Windows or 64-bit (itanium architecture) version of Windows is installed 32-Bit version of Windows is installed AND a version of Windows for the ia64 architecture is installed AND Win2K/XP/2003 service pack 1 is installed AND the version of hh.exe is less than 5.2.3790.2427 OR for 64-bit (x64 arch) Windows (gold edition) a vulnerable version of hh.exe exists 64-Bit (x64 architecture) version of Windows is installed AND NOT Win2K/XP/2003 is patched AND the version of hh.exe is less than 5.2.3790.2435 AND NOT the patch kb896358 is installed (Hotfix key)

Definition Id: oval:org.mitre.oval:def:463

Oval ID:	oval:org.mitre.oval:def:463
Title:	Windows 2000 HTML Help Remote Code Execution Vulnerability
Description:	Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2005-1208	Version:	7
Platform(s):	Microsoft Windows 2000	Product(s):	HTML Help Facility
Definition Synopsis:
Windows 2000 (sp4 or earlier) is installed Windows 2000 is installed AND NOT Win2K/XP/2003 service pack 5 (or later) is installed AND the version of hh.exe is less than 5.2.3790.309 AND NOT the patch kb896358 is installed (Hotfix key)

CPE : Common Platform Enumeration

Type	Description	Count
Os	Microsoft Windows 2000 cpe:2.3:o:microsoft:windows_2000::::::::	1
Os	Microsoft Windows 2003 Server cpe:2.3:o:microsoft:windows_2003_server:64-bit:::::::* cpe:2.3:o:microsoft:windows_2003_server:web:sp1:::::: cpe:2.3:o:microsoft:windows_2003_server:web:::::::* cpe:2.3:o:microsoft:windows_2003_server:web:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:standard_64-bit:::::::* cpe:2.3:o:microsoft:windows_2003_server:standard:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:standard:sp1:::::: cpe:2.3:o:microsoft:windows_2003_server:standard::64-bit::::: cpe:2.3:o:microsoft:windows_2003_server:r2:::::::* cpe:2.3:o:microsoft:windows_2003_server:r2::datacenter_64-bit::::: cpe:2.3:o:microsoft:windows_2003_server:r2::64-bit::::: cpe:2.3:o:microsoft:windows_2003_server:r2:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:r2:sp1:::::: cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:::::::* cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:sp1:::::: cpe:2.3:o:microsoft:windows_2003_server:enterprise::64-bit::::: cpe:2.3:o:microsoft:windows_2003_server:enterprise:sp1:::::: cpe:2.3:o:microsoft:windows_2003_server:enterprise:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1:::::: cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1::::::	21
Os	Microsoft Windows 98 cpe:2.3:o:microsoft:windows_98::gold::::::*	1
Os	Microsoft Windows Xp cpe:2.3:o:microsoft:windows_xp::sp1:tablet_pc::::: cpe:2.3:o:microsoft:windows_xp::gold::::::* cpe:2.3:o:microsoft:windows_xp::sp2:media_center::::: cpe:2.3:o:microsoft:windows_xp::sp2:home::::: cpe:2.3:o:microsoft:windows_xp::sp1:64-bit::::: cpe:2.3:o:microsoft:windows_xp:::media_center:::::* cpe:2.3:o:microsoft:windows_xp:::embedded:::::* cpe:2.3:o:microsoft:windows_xp::sp1:home::::: cpe:2.3:o:microsoft:windows_xp:::home:::::* cpe:2.3:o:microsoft:windows_xp:::64-bit:::::* cpe:2.3:o:microsoft:windows_xp::sp1:embedded::::: cpe:2.3:o:microsoft:windows_xp::sp1:media_center::::: cpe:2.3:o:microsoft:windows_xp::sp2:tablet_pc::::: cpe:2.3:o:microsoft:windows_xp::gold:professional:::::	14

Open Source Vulnerability Database (OSVDB)

Id	Description
17305	Microsoft Windows HTML Help (CHM) File Overflow A remote overflow exists in Microsoft Windows via the "ms-its" protocol specification. Microsoft Windows fails to check the size field resulting in a heap overflow. Specifying a very high value will cause a buffer overflow. With a specially crafted request, an attacker can cause Internet Explorer to open a malicious .CHM file and cause an excessive memory copy that overwrites portions of memory resulting in a loss of availability and possibly remote code execution.

Description

17305

Microsoft Windows HTML Help (CHM) File Overflow

A remote overflow exists in Microsoft Windows via the "ms-its" protocol specification. Microsoft Windows fails to check the size field resulting in a heap overflow. Specifying a very high value will cause a buffer overflow. With a specially crafted request, an attacker can cause Internet Explorer to open a malicious .CHM file and cause an excessive memory copy that overwrites portions of memory resulting in a loss of availability and possibly remote code execution.

Snort® IPS/IDS

Date	Description
2014-01-10	HTML Help ActiveX CLSID unicode access RuleID : 7441 - Revision : 6 - Type : WEB-ACTIVEX
2014-01-10	Microsoft Windows HTML Help ActiveX object access RuleID : 4183 - Revision : 14 - Type : BROWSER-PLUGINS
2014-01-10	CHM file transfer attempt RuleID : 3821 - Revision : 10 - Type : WEB-CLIENT
2014-01-10	Microsoft Windows CHM file magic detected RuleID : 3820 - Revision : 26 - Type : FILE-IDENTIFY
2014-01-10	Microsoft Windows CHM file magic detected RuleID : 23757 - Revision : 13 - Type : FILE-IDENTIFY

Nessus® Vulnerability Scanner

Date	Description
2005-06-14	Name : Arbitrary code can be executed on the remote host through the web client. File : smb_nt_ms05-026.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:45:11	Multiple Updates
2014-01-19 21:29:54	Multiple Updates
2013-05-11 12:21:42	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	3
CPE ID(s)	37
osvdb(s)	1
Snort® Rule(s)	5
Nessus® Exploit(s)	1

	Related
10	HPSBST02394 SSR...
10	HPSBST02386 SSR...
10	HPSBST02379 SSR...
10	HPSBST02360 SSR...
10	CVE-2005-1208
9.4	HPSBST02350 SSR...
9.3	HPSBST02397 SSR...
9.3	HPSBST02372 SSR...
9.3	HPSBST02344 SSR...
9.3	HPSBST02336 SSR...
0	HPSBST02329 SSR...
0	HPSBST02320 SSR...
0	HPSBST02314 SSR...
0	HPSBST02304 SSR...
0	HPSBST02299 SSR...
0	HPSBST02291 SSR...
0	HPSBST02280 SSR...
0	HPSBST02260 SSR...
0	HPSBST02255 SSR...
0	HPSBST02243 SSR...
0	HPSBST02231 SSR...
0	HPSBST02214 SSR...
0	HPSBST02208 SSR...
0	HPSBST02206 SSR...
0	HPSBST02194 SSR...
0	HPSBST02184 SSR...
0	HPSBST02180 SSR...
0	HPSBST02161 SSR...
0	HPSBST02160 SSR...
0	HPSBST02134 SSR...
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 30 more Alert(s)

10 - MS05-026

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

OVAL Definitions

CPE : Common Platform Enumeration

Open Source Vulnerability Database (OSVDB)

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU