ID CVE-2001-0154 Type cve Reporter cve@mitre.org Modified 2018-10-12T21:30:00
Description
HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.
{"osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nMicrosoft Security Bulletin: MS01-020\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-04/0016.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-03/0474.html\nISS X-Force ID: 6306\n[CVE-2001-0154](https://vulners.com/cve/CVE-2001-0154)\nCIAC Advisory: l-066\nCERT VU: 980499\nCERT: CA-2001-06\nBugtraq ID: 2524\n", "modified": "2001-03-30T00:00:00", "published": "2001-03-30T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7806", "id": "OSVDB:7806", "title": "Microsoft IE HTML E-mail Feature Unusual MIME Type Command Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-01T02:15:02", "bulletinFamily": "scanner", "description": "The BugBear backdoor is listening on this port. An attacker may\nconnect to it to retrieve secret information such as passwords,\ncredit card numbers, etc.\n\nThe BugBear worm includes a keylogger and can kill antivirus and\nfirewall software. It propagates through email and open Windows\nshares.\n\nDepending on the antivirus vendor, it is known as Tanatos,\nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\nWORM_BUGBEAR.A, Win32.BugBear...", "modified": "2019-11-02T00:00:00", "id": "BUGBEAR.NASL", "href": "https://www.tenable.com/plugins/nessus/11135", "published": "2002-10-03T00:00:00", "title": "Bugbear Worm Detection", "type": "nessus", "sourceData": "#\n# This script was written by Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and\n# heavily hacked every byte of it :-]\n#\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: this domain no longer exists)\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# There was no information on the BugBear protocol.\n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the\n# same way.\n# We will not provide the full data here because it might contain\n# confidential information.\n#\n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n#\n\n# Changes by Tenable:\n# - Revised plugin title (12/28/10)\n# - Add MSKB script_xref (8/29/17)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11135);\n script_version(\"1.37\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_bugtraq_id(2524);\n script_xref(name:\"MSFT\", value:\"MS01-020\");\n script_xref(name:\"MSKB\", value:\"290108\");\n script_xref(name:\"MSKB\", value:\"329770\");\n\n script_name(english:\"Bugbear Worm Detection\");\n script_summary(english:\"Detect Bugbear worm\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has been compromised.\");\n script_set_attribute(attribute:\"description\", value:\n\"The BugBear backdoor is listening on this port. An attacker may\nconnect to it to retrieve secret information such as passwords,\ncredit card numbers, etc.\n\nThe BugBear worm includes a keylogger and can kill antivirus and\nfirewall software. It propagates through email and open Windows\nshares.\n\nDepending on the antivirus vendor, it is known as Tanatos,\nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\nWORM_BUGBEAR.A, Win32.BugBear...\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.sophos.com/en-us/search-results.aspx?search=w32bugbeara&refine=7edf01e4de3c4c8791a56ba6ce685d09\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db7425b2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?45f1d49b\");\n script_set_attribute(attribute:\"see_also\", value:\"http://vil.nai.com/vil/content/v_99728.htm\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-020\");\n script_set_attribute(attribute:\"solution\", value:\n\"- Use an Antivirus package to remove it.\n- Close your Windows shares\n- Update your IE browser\n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/10/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Michel Arboi & Thomas Reinke\");\n script_family(english:\"Backdoors\");\n script_require_ports(36794);\n script_dependencies(\"find_service1.nasl\");\n exit(0);\n}\n\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is\n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_hole(port);\n register_service(port: port, proto: \"bugbear\");\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCERT Advisory CA-2001-06 Automatic Execution of Embedded MIME Types\r\n\r\n Original release date: April 03, 2001\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history can be found at the end of this file.\r\n\r\nSystems Affected\r\n\r\n * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier,\r\n except IE 5.01 SP2\r\n * Any software which utilizes vulnerable versions of Internet\r\n Explorer to render HTML\r\n\r\nOverview\r\n\r\n Microsoft Internet Explorer has a vulnerability triggered when parsing\r\n MIME parts in a document that allows a malicious agent to execute\r\n arbitrary code. Any user or program that uses vulnerable versions of\r\n Internet Explorer to render HTML in a document (for example, when\r\n browsing a filesystem, reading email or news messages, or visiting a\r\n web page), should immediately upgrade to a non-vulnerable version of\r\n Internet Explorer.\r\n\r\nI. Description\r\n\r\n There exists in Internet Explorer a table which is used to determine\r\n how IE handles MIME types when it encounters MIME parts in any type of\r\n HTML document, be it email message, newsgroup posting, web page, or\r\n local file. This table contains a set of entries that cause Internet\r\n Explorer to open the MIME part without giving the end user the\r\n opportunity to decide if the MIME part should be opened. This\r\n vulnerability allows an intruder to construct malicious content that,\r\n when viewed in Internet Explorer (or any program that uses the IE HTML\r\n rendering engine), can execute arbitrary code. It is not necessary to\r\n run an attachment; simply viewing the document in a vulnerable program\r\n is sufficient to execute arbitrary code.\r\n\r\n For more details, see Microsoft Security Bulletin MS01-020 on this\r\n topic at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-020.asp\r\n\r\n There have been reports that simply previewing HTML content (as in a\r\n mail client or filesystem browser) is sufficient to trigger the\r\n vulnerability. The impact of viewing malicious code in this manner is\r\n being evaluated.\r\n\r\n The CERT/CC is currently unaware of any reports of this vulnerability\r\n being used to successfully attack a system. Demonstration code\r\n exploiting this vulnerability has been published in several public\r\n forums. This vulnerability is being referenced in CVE as CAN-2001-0154\r\n and by the CERT/CC as VU#980499.\r\n\r\nII. Impact\r\n\r\n Attackers can cause arbitrary code to be executed on a victim's system\r\n by embedding the code in a malicious email, or news message, or web\r\n page.\r\n\r\nIII. Solution\r\n\r\nApply the patch from Microsoft\r\n\r\n Apply the patch from Microsoft, available at:\r\n\r\n http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp\r\n\r\n As noted in the 'Caveats' section of the Microsoft advisory, end users\r\n must apply this patch to supported versions of Microsoft's browser.\r\n This means IE must be upgraded to IE 5.01 Service Pack 1 or IE 5.5\r\n Service Pack 1 before users can apply this patch. Users who have not\r\n previously upgraded will incorrectly receive a message stating that\r\n they do not need to apply this patch, even though they are vulnerable.\r\n Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which\r\n has this patch incorporated in it) and apply the appropriate patch.\r\n\r\n An excerpt from MS01-020:\r\n\r\n Caveats:\r\n If the patch is installed on a system running a version of IE other\r\n than the one it is designed for, an error message will be displayed\r\n saying that the patch is not needed. This message is incorrect, and\r\n customers who see this message should upgrade to a supported version\r\n of IE and re-install the patches.\r\n\r\nAppendix A. - Vendor Information\r\n\r\n This appendix contains information provided by vendors for this\r\n advisory. When vendors report new information to the CERT/CC, we\r\n update this section and note the changes in our revision history. If a\r\n particular vendor is not listed below, we have not received their\r\n comments.\r\n\r\n\r\nCyrusoft International, Inc.\r\n\r\n Mulberry does not use Internet Explorer to render HTML within Mulberry\r\n itself and is not vulnerable to these kinds of problems. Users can\r\n save HTML attachments to disk and then view those in browsers\r\n susceptible to this problem, but this requires the direct intervention\r\n of the user to explicitly save to disk - simply viewing HTML in\r\n Mulberry does not expose users to these kinds of problems.\r\n\r\n Our HTML rendering is a basic styled-text only renderer that does not\r\n execute any form of scripts. This is true on all the platforms we\r\n support: Win32, Mac OS (Classic & X), Solaris, linux.\r\n\r\n An official statement about this is available on our website at:\r\n\r\n http://www.cyrusoft.com/mulberry/htmlsecurity.html\r\n\r\n\r\nLotus Development Corporation\r\n\r\n Notes does not use IE to render HTML-formatted mail messages.\r\n\r\n\r\nMicrosoft Corporation\r\n\r\n Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE\r\n to Execute E-mail Attachment") related to this issue at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-020.asp\r\n\r\n A patch is available for this issue at:\r\n\r\n http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp\r\n\r\n\r\nNetscape Communications Corporation\r\n\r\n Netscape is currently investigating the impact this vulnerability, if\r\n any, has on users of the Netscape browser.\r\n\r\n\r\nOpera Software\r\n\r\n Opera does not use Internet Explorer or any other external software to\r\n render HTML.\r\n\r\n\r\nQUALCOMM Incorporated\r\n\r\n It is unclear at this time what impact, if any, this vulnerability has\r\n on Eudora clients.\r\n\r\n\r\nAppendix B. - References\r\n\r\n 1. Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499:\r\n Certain MIME types can cause Internet Explorer to execute\r\n arbitrary code when rendering HTML", March 2001.\r\n https://www.kb.cert.org/vuls/id/980499\r\n _________________________________________________________________\r\n\r\n Microsoft has acknowledged Juan Carlos Cuartango for bringing this\r\n issue to their attention.\r\n\r\n This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.\r\n If you have feedback, comments, or additional information about this\r\n issue, please send us email.\r\n ______________________________________________________________________\r\n \r\n This document is available from:\r\n http://www.cert.org/advisories/CA-2001-06.html\r\n ______________________________________________________________________\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 (24-hour hotline)\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)\r\n Monday through Friday; they are on call for emergencies during other\r\n hours, on U.S. holidays, and on weekends.\r\n\r\nUsing encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\nGetting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * "CERT" and "CERT Coordination Center" are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an "as is" basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2001 Carnegie Mellon University.\r\n\r\n Revision History\r\nApril 03, 2001: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP for Personal Privacy 5.0\r\nCharset: noconv\r\n\r\niQCVAwUBOsoNNQYcfu8gsZJZAQFd3gQAkCKdIcdKJ/gaii0odrJdM/jlZUv7MYYf\r\nR8LUHkV1dUTxEI/SRrKtAoEsf/UVVgZI4PGBB/pyptkmSv2axMWf4AD1Ubful712\r\nojVaHG7hJuV5RNiw2yE/R4AoWZ5GbdaQByYWpCB+OfwNzsz/7MYibjI6xUtvqRvV\r\nJxYMB6q5TqM=\r\n=B0Bv\r\n-----END PGP SIGNATURE-----", "modified": "2001-04-04T00:00:00", "published": "2001-04-04T00:00:00", "id": "SECURITYVULNS:DOC:1460", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1460", "title": "Advisory CA-2001-06", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-02T21:09:10", "bulletinFamily": "scanner", "description": "BugBear backdoor is listening on this port. \nA cracker may connect to it to retrieve secret \ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill \nantivirus or personal firewall softwares. It propagates \nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos, \nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, \nWORM_BUGBEAR.A, Win32.BugBear...\n\nhttp://www.sophos.com/virusinfo/analyses/w32bugbeara.html\nhttp://www.ealaddin.com/news/2002/esafe/bugbear.asp\nhttp://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\nhttp://vil.nai.com/vil/content/v_99728.htm\n\nReference : http://online.securityfocus.com/news/1034\nReference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&", "modified": "2017-05-15T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=11135", "id": "OPENVAS:11135", "title": "Bugbear worm", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: bugbear.nasl 6125 2017-05-15 09:03:42Z teissa $\n# Description: Bugbear worm\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and \n# heavily hacked every byte of it :-]\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi & Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"BugBear backdoor is listening on this port. \nA cracker may connect to it to retrieve secret \ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill \nantivirus or personal firewall softwares. It propagates \nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos, \nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, \nWORM_BUGBEAR.A, Win32.BugBear...\n\nhttp://www.sophos.com/virusinfo/analyses/w32bugbeara.html\nhttp://www.ealaddin.com/news/2002/esafe/bugbear.asp\nhttp://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\nhttp://vil.nai.com/vil/content/v_99728.htm\n\nReference : http://online.securityfocus.com/news/1034\nReference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\";\n\ntag_solution = \"- Use an Anti-Virus package to remove it.\n- Close your Windows shares\n- Update your IE browser \n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\n http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx\";\n\n# There was no information on the BugBear protocol. \n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the \n# same way. \n# We will not provide the full data here because it might contain \n# confidential information.\n# \n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n\nif(description)\n{\n script_id(11135);\n script_version(\"$Revision: 6125 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-15 11:03:42 +0200 (Mon, 15 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0004\");\n script_bugtraq_id(2524);\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_name(\"Bugbear worm\");\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n \n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke\");\n family = \"Malware\";\n script_family(family);\n script_require_ports(36794);\n script_dependencies(\"find_service.nasl\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is \n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_message(port); \n register_service(port: port, proto: \"bugbear\");\n exit(0); \n}\n\nmsg = \"\nThis port is usually used by the BugBear backdoor.\nAlthough OpenVAS was unable to get an answer from the worm, \nyou'd better check your machine with an up to date \nantivirus scanner.\";\nsecurity_message(port: port, data: msg);\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:31:55", "bulletinFamily": "scanner", "description": "BugBear backdoor is listening on this port.", "modified": "2019-02-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011135", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011135", "title": "Bugbear worm", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: bugbear.nasl 13541 2019-02-08 13:21:52Z cfischer $\n# Description: Bugbear worm\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and\n# heavily hacked every byte of it :-]\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi & Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n# There was no information on the BugBear protocol.\n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the\n# same way.\n# We will not provide the full data here because it might contain\n# confidential information.\n#\n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11135\");\n script_version(\"$Revision: 13541 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-08 14:21:52 +0100 (Fri, 08 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0004\");\n script_bugtraq_id(2524);\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Bugbear worm\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke\");\n script_family(\"Malware\");\n script_require_ports(36794);\n script_dependencies(\"find_service.nasl\");\n script_tag(name:\"solution\", value:\"- Use an Anti-Virus package to remove it.\n\n - Close your Windows shares\n\n - Update your IE browser\n\n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"summary\", value:\"BugBear backdoor is listening on this port.\");\n\n script_tag(name:\"impact\", value:\"An attacker may connect to it to retrieve secret\n information, e.g. passwords or credit card numbers.\");\n\n script_tag(name:\"insight\", value:\"The BugBear worm includes a key logger and can stop\n antivirus or personal firewall software. It propagates itself through email and open\n Windows shares.\n\n Depending on the antivirus vendor, it is known as: Tanatos,\n I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\n WORM_BUGBEAR.A, Win32.BugBear.\");\n\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx\");\n script_xref(name:\"URL\", value:\"http://www.sophos.com/virusinfo/analyses/w32bugbeara.html\");\n script_xref(name:\"URL\", value:\"http://www.ealaddin.com/news/2002/esafe/bugbear.asp\");\n script_xref(name:\"URL\", value:\"http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\");\n script_xref(name:\"URL\", value:\"http://vil.nai.com/vil/content/v_99728.htm\");\n script_xref(name:\"URL\", value:\"http://online.securityfocus.com/news/1034\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is\n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_message(port);\n register_service(port: port, proto: \"bugbear\");\n exit(0);\n}\n\nmsg = \"\nThis port is usually used by the BugBear backdoor.\nAlthough the scanner was unable to get an answer from the worm,\nyou'd better check your machine with an up to date\nantivirus scanner.\";\nsecurity_message(port: port, data: msg);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2019-10-09T19:54:16", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.\n\n### Description \n\nInternet Explorer contains a [table](<http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>) which is used to determine the handling of [MIME](<http://www.ietf.org/rfc/rfc2045.txt>) types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient.\n\nThe systems affected by this vulnerability include: \n\n\n * All Windows versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2, running on x86 platforms\n * Any software which utilizes vulnerable versions of Internet Explorer to render HTML\n \nIE 6 is not affected by this issue. \n \nFor more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article [Q290108](<http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP>)) on this topic at: \n\n\n<http://www.microsoft.com/technet/security/bulletin/MS01-020.asp> \nNote: The above patch has been superseded by the IE 5.5 patches discussed in [MS01-027](<http://www.microsoft.com/technet/security>). On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in [MS02-023](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp>). \n \nThere have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability. \n \nThis vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory [CA-2001-26](<http://www.cert.org/advisories/CA-2001-26.html>): Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note [IN-2002-05](<http://www.cert.org/incident_notes/IN-2002-05.html>). \n--- \n \n### Impact \n\nAttackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page. \n \n--- \n \n### Solution \n\nUpgrade to IE 6, or apply the patch from Microsoft, available at: \n\n\n<http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp> \nNote: The above patch has been superseded by the IE 5.5 patches discussed in [MS01-027](<http://www.microsoft.com/technet/security>). A cumulative patch for this and other vulnerabilities is discussed in [MS02-023](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp>). \n--- \n \n \nIt has been reported that upgrading to the latest version of Windows Media Player is an additional means to protect yourself from this problem. Although this appears to protect you from a specific way to exploit this vulnerability, we do not believe it is a general purpose fix. Disabling File Downloading in all of your Security Zones will also mitigate against the risks posed by the vulnerability. \n \n--- \n \n### Vendor Information\n\n980499\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Lotus Software\n\nNotified: March 30, 2001 Updated: April 05, 2001 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`Notes doesn't use IE to display HTML formatted email.`\n\n`If a user's browser preferences specify Notes with Internet Explorer, then` \n`the version of Internet Explorer that is installed on the user's` \n`workstation is used for browsing. It is launched as an ActiveX component` \n`within Notes, but Notes does not ship any IE code. If Internet Explorer is` \n`chosen as the user's preferred browser, then Notes launches Internet` \n`Explorer in a separate window and opens the link. The Notes client does` \n`not need to be upgraded but the user must upgrade their version of Internet` \n`Explorer to prevent against this vulnerability, which they should do` \n`anyway.`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional information at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n### __ __ Microsoft Corporation\n\nUpdated: July 17, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see the advisory (MS01-020, \"Incorrect MIME Header Can Cause IE to Execute E-mail Attachment\") related to this issue at:\n\n<http://www.microsoft.com/technet/security/bulletin/MS01-020.asp> \n \nA patch is available for this issue at: \n<http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp> \n \nNote: The above patch has been supserseded by the IE 5.5 patches discussed in [MS01-027](<http://www.microsoft.com/technet/security>). A cumulative patch for this and other vulnerabilities is discussed in [MS02-023](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp>). \n \nIE 6 is not vulnerable to this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nAs noted in the MS01-020 Caveats section of the advisory, end users must apply this patch to supported versions of Microsoft's browser. This means IE must upgrade to IE 5.01 Service Pack 1 or IE 5.5 Service Pack 1 users must apply this patch. Users of IE who have not previously upgraded will receive an incorrect message stating that they do not need to apply this patch. Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which has this patch incorporated in it). \n \nFrom MS01-020: \n \n`Caveats: \nIf the patch is installed on a system running a version of IE other \nthan the one it is designed for, an error message will be displayed \nsaying that the patch is not needed. This message is incorrect, and \ncustomers who see this message should upgrade to a supported version \nof IE and re-install the patches.`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n### __ __ Cyrusoft\n\nNotified: March 30, 2001 Updated: March 30, 2001 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\n`Mulberry does not use Internet Explorer to render HTML within Mulberry \nitself and is not vulnerable to these kinds of problems. Users can save \nHTML attachments to disk and then view those in browsers susceptible to \nthis problem, but this requires the direct intervention of the user to \nexplicitly save to disk - simply viewing HTML in Mulberry does not expose \nusers to these kinds of problems. \n`\n\n`Our HTML rendering is a basic styled-text only renderer that does not \nexecute any form of scripts. This is true on all the platforms we support: \nWin32, Mac OS (Classic & X), Solaris, linux. \n` \n`An official statement about this is available on our website at: \n` \n`<``<http://www.cyrusoft.com/mulberry/htmlsecurity.html>``> \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n### __ __ Netscape Communications Corporation\n\nNotified: March 30, 2001 Updated: April 12, 2001 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nWe have concluded that the bug, as described below, does NOT affect Netscape clients 4.x and 6.x for the following two reasons:\n\n 1. We ALWAYS verify that the user wants to open/launch the attachment with a link. The user must click this link to view/launch the attachment.\n 2. Also, we ALWAYS stay true to the MIME type given. Therefore, if someone sent a malicious .exe file, and manually changed the MIME type to image/gif, Netscape would open the file as a gif. The result would be garbled binary code.\n \nAs a result of our forced check for user authorization (bullet #1) we assume that the bug in question does not affect us. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n### __ __ Opera Software\n\nNotified: March 30, 2001 Updated: April 02, 2001 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nOpera does not use Internet Explorer or any other external software to render html.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n### __ __ QUALCOMM\n\nNotified: March 30, 2001 Updated: March 30, 2001 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nIt is unclear at this time what impact, if any, this vulnerability has on Eudora clients.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23980499 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/MS01-020.asp>\n * <http://www.microsoft.com/technet/security/bulletin/MS01-027.asp>\n * <http://support.microsoft.com/support/kb/articles/Q299/6/18.ASP>\n * <http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP>\n * <http://www.kriptopolis.com/>\n * <http://www.faqs.org/rfcs/rfc2387.html>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0154>\n * <http://www.securityfocus.com/bid/2524>\n * <http://www.securitytracker.com/alerts/2001/Mar/1001197.html>\n * <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>\n * <http://www.ietf.org/rfc/rfc2045.txt>\n\n### Acknowledgements\n\nMicrosoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.\n\nThis document was written by Jeffrey S. Havrilla and Shawn V. Hernan. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0154](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154>) \n---|--- \n**CERT Advisory:** | [CA-2001-06 ](<http://www.cert.org/advisories/CA-2001-06.html>) \n**Severity Metric:****** | 60.75 \n**Date Public:** | 2001-03-29 \n**Date First Published:** | 2001-03-31 \n**Date Last Updated: ** | 2004-03-05 16:37 UTC \n**Document Revision: ** | 40 \n", "modified": "2004-03-05T16:37:00", "published": "2001-03-31T00:00:00", "id": "VU:980499", "href": "https://www.kb.cert.org/vuls/id/980499", "type": "cert", "title": "Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
