ID CVE-2001-0154 Type cve Reporter NVD Modified 2018-10-12T17:30:14
Description
HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.
{"id": "CVE-2001-0154", "bulletinFamily": "NVD", "title": "CVE-2001-0154", "description": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.", "published": "2001-05-03T00:00:00", "modified": "2018-10-12T17:30:14", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154", "reporter": "NVD", "references": ["http://www.cert.org/advisories/CA-2001-06.html", "http://securitytracker.com/id?1001197", "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306", "http://www.securityfocus.com/bid/2524", "http://www.ciac.org/ciac/bulletins/l-066.shtml", "http://marc.info/?l=bugtraq&m=98596775905044&w=2", "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-020"], "cvelist": ["CVE-2001-0154"], "type": "cve", "lastseen": "2018-10-13T12:03:33", "history": [{"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.01"], "cvelist": ["CVE-2001-0154"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.", "edition": 2, "enchantments": {}, "hash": "c5ae80886cd58ff9bc94a8f6a806ee1f823a3d441978aad31f3ede8fcd5028d4", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "aa5fb645bbad12211b20ebfc351cb090", "key": "modified"}, {"hash": "11f54a954318df8cf18907285d7d488e", "key": "cpe"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "ab997b4408db2a44f9b4aa2534cb70f2", "key": "title"}, {"hash": "8636a29e0b2bd1ecec16ccc82cdbfe59", "key": "cvelist"}, {"hash": "5aa78f8279ded8c54ff71c4a525529e4", "key": "href"}, {"hash": "1146001a7d01649401195721d829b0ee", "key": "published"}, {"hash": "4f9bf2cd16032538f20d53c9ca07ad28", "key": "assessment"}, {"hash": "d3576c93676f8916921a52c3379b7c86", "key": "scanner"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "5cd3fcff48c10eeaabbae578fc1f6447", "key": "references"}, {"hash": "8334c5a5032e9978f4e0e8e67982767a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154", "id": "CVE-2001-0154", "lastseen": "2017-04-18T15:49:27", "modified": "2016-10-17T22:10:03", "objectVersion": "1.2", "published": "2001-05-03T00:00:00", "references": ["http://xforce.iss.net/xforce/xfdb/6306", "http://www.cert.org/advisories/CA-2001-06.html", "http://www.microsoft.com/technet/security/bulletin/MS01-020.asp", "http://securitytracker.com/id?1001197", "http://www.securityfocus.com/bid/2524", "http://www.ciac.org/ciac/bulletins/l-066.shtml", "http://marc.info/?l=bugtraq&m=98596775905044&w=2"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2001-0154", "type": "cve", "viewCount": 4}, "differentElements": ["references", "assessment", "modified"], "edition": 2, "lastseen": "2017-04-18T15:49:27"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.01"], "cvelist": ["CVE-2001-0154"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.", "edition": 1, "hash": "7cad93f24f41e03a0ccf986edfe40c811922b7252ed1bc3ee4a198c0272a2828", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "11f54a954318df8cf18907285d7d488e", "key": "cpe"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "ab997b4408db2a44f9b4aa2534cb70f2", "key": "title"}, {"hash": "8636a29e0b2bd1ecec16ccc82cdbfe59", "key": "cvelist"}, {"hash": "5aa78f8279ded8c54ff71c4a525529e4", "key": "href"}, {"hash": "1146001a7d01649401195721d829b0ee", "key": "published"}, {"hash": "4f9bf2cd16032538f20d53c9ca07ad28", "key": "assessment"}, {"hash": "d3576c93676f8916921a52c3379b7c86", "key": "scanner"}, {"hash": "4ff560b7fcb997e3c63eab28bacbd2c5", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8334c5a5032e9978f4e0e8e67982767a", "key": "description"}, {"hash": "36493a79337cb9f9f3fbd7a52b4cdeac", "key": "references"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154", "id": "CVE-2001-0154", "lastseen": "2016-09-03T02:53:52", "modified": "2008-09-05T16:23:24", "objectVersion": "1.2", "published": "2001-05-03T00:00:00", "references": ["http://xforce.iss.net/xforce/xfdb/6306", "http://www.cert.org/advisories/CA-2001-06.html", "http://www.microsoft.com/technet/security/bulletin/MS01-020.asp", "http://securitytracker.com/id?1001197", "http://www.securityfocus.com/bid/2524", "http://www.ciac.org/ciac/bulletins/l-066.shtml", "http://marc.theaimsgroup.com/?l=bugtraq&m=98596775905044&w=2"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2001-0154", "type": "cve", "viewCount": 3}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T02:53:52"}, {"bulletin": {"assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.01"], "cvelist": ["CVE-2001-0154"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.", "edition": 3, "enchantments": {"score": {"modified": "2017-10-10T10:34:41", "value": 7.5, "vector": "NONE"}}, "hash": "affd6e831f75567944a18e2122cea69f5d431db5558115946a976e92427b6a0f", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "11f54a954318df8cf18907285d7d488e", "key": "cpe"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "ab997b4408db2a44f9b4aa2534cb70f2", "key": "title"}, {"hash": "8636a29e0b2bd1ecec16ccc82cdbfe59", "key": "cvelist"}, {"hash": "5aa78f8279ded8c54ff71c4a525529e4", "key": "href"}, {"hash": "238c256f8a338e4bb29299df2494a65e", "key": "references"}, {"hash": "1146001a7d01649401195721d829b0ee", "key": "published"}, {"hash": "d3576c93676f8916921a52c3379b7c86", "key": "scanner"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "19e6229eac06b8857fbb766bfe70d68a", "key": "modified"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "c4401ae50fa92fb9af66709bae3ce365", "key": "assessment"}, {"hash": "8334c5a5032e9978f4e0e8e67982767a", "key": "description"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154", "id": "CVE-2001-0154", "lastseen": "2017-10-10T10:34:41", "modified": "2017-10-09T21:29:37", "objectVersion": "1.3", "published": "2001-05-03T00:00:00", "references": ["http://www.cert.org/advisories/CA-2001-06.html", "http://www.microsoft.com/technet/security/bulletin/MS01-020.asp", "http://securitytracker.com/id?1001197", "https://exchange.xforce.ibmcloud.com/vulnerabilities/6306", "http://www.securityfocus.com/bid/2524", "http://www.ciac.org/ciac/bulletins/l-066.shtml", "http://marc.info/?l=bugtraq&m=98596775905044&w=2"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2001-0154", "type": "cve", "viewCount": 4}, "differentElements": ["references", "modified"], "edition": 3, "lastseen": "2017-10-10T10:34:41"}], "edition": 4, "hashmap": [{"key": "assessment", "hash": "c4401ae50fa92fb9af66709bae3ce365"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "11f54a954318df8cf18907285d7d488e"}, {"key": "cvelist", "hash": "8636a29e0b2bd1ecec16ccc82cdbfe59"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "8334c5a5032e9978f4e0e8e67982767a"}, {"key": "href", "hash": "5aa78f8279ded8c54ff71c4a525529e4"}, {"key": "modified", "hash": "d207579d4cb25588f79e0e3eb018886b"}, {"key": "published", "hash": "1146001a7d01649401195721d829b0ee"}, {"key": "references", "hash": "8de40672f63b31250338c69c59a4d35c"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d3576c93676f8916921a52c3379b7c86"}, {"key": "title", "hash": "ab997b4408db2a44f9b4aa2534cb70f2"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "9a618f2d982aa5d91cf63262921369f241555cccb6062a1ab71dedb767eaee42", "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-10-13T12:03:33"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.01"], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:141", "name": "oval:org.mitre.oval:def:141", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}
{"cert": [{"lastseen": "2018-08-31T02:38:03", "references": ["http://www.microsoft.com/technet/security", "http://www.microsoft.com/technet/security", "http://www.cert.org/incident_notes/IN-2002-05.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154", "http://www.kriptopolis.com/", "http://support.microsoft.com/support/kb/articles/Q299/6/18.ASP", "http://www.ietf.org/rfc/rfc2045.txt", "http://www.ietf.org/rfc/rfc2045.txt", "http://www.microsoft.com/technet/security/bulletin/MS01-027.asp", "http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP", "http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP", "http://www.cert.org/advisories/CA-2001-06.html", "http://www.cert.org/advisories/CA-2001-06.html", "http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp", "http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0154", "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp", "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp", "http://www.microsoft.com/technet/security/bulletin/MS01-020.asp", "http://www.microsoft.com/technet/security/bulletin/MS01-020.asp", "http://www.cert.org/advisories/CA-2001-26.html", "http://www.cert.org/advisories/CA-2001-26.html", "http://www.securitytracker.com/alerts/2001/Mar/1001197.html", "http://www.faqs.org/rfcs/rfc2387.html", "http://www.securityfocus.com/bid/2524", "http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp"], "description": "### Overview\n\nA vulnerability exists in Microsoft Internet Explorer that allows a malicious agent to execute arbitrary code when parsing MIME parts in a document. Any user or program that uses vulnerable versions of Internet Explorer to render HTML in a document (for example, when browsing a filesystem, reading email or news messages, or visiting a web page), should immediately upgrade to a non-vulnerable version of Internet Explorer.\n\n### Description\n\nInternet Explorer contains a [table](<http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>) which is used to determine the handling of [MIME](<http://www.ietf.org/rfc/rfc2045.txt>) types encountered in any HTML document (email messages, newsgroup postings, web pages, or local files). This table contains a set of entries that cause Internet Explorer to do the wrong thing with certain MIME parts, introducing a security vulnerability. Specifically, these incorrect entries lead IE to open specific MIME parts without giving the end user the opportunity to say if they should be opened. This vulnerability allows an intruder to construct a malicious content that, when viewed in Internet Explorer (or any program that uses the IE HTML rendering engine) can execute arbitrary code. It is not necessary to run an attachment; simply viewing the document in a vulnerable program is sufficient. \n\nThe systems affected by this vulnerability include: \n\n\n * All Windows versions of Microsoft Internet Explorer 5.5 SP1 or earlier, except IE 5.01 SP2, running on x86 platforms \n * Any software which utilizes vulnerable versions of Internet Explorer to render HTML\n \nIE 6 is not affected by this issue. \n \nFor more details, see Microsoft Security Bulletin MS01-020 (or Microsoft Knowledgebase article [Q290108](<http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP>)) on this topic at: \n\n\n<http://www.microsoft.com/technet/security/bulletin/MS01-020.asp> \nNote: The above patch has been superseded by the IE 5.5 patches discussed in [MS01-027](<http://www.microsoft.com/technet/security>). On May 15, 2002, Microsoft released a cumulative set of patches for Internet Explorer as discussed in [MS02-023](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp>). \n \nThere have been reports that simply previewing HTML content (as in a mail client or filesystem browser) is sufficient to trigger the vulnerability. \n \nThis vulnerability is now being actively exploited. More information about the activity and remediation can be found in CERT Advisory [CA-2001-26](<http://www.cert.org/advisories/CA-2001-26.html>): Nimda Worm. This vulnerability has been exploited further, as discussed in CERT Incident Note [IN-2002-05](<http://www.cert.org/incident_notes/IN-2002-05.html>). \n \n--- \n \n### Impact\n\nAttackers can cause arbitrary code to be executed on a victim's system by embedding the code in a malicious email, or news message, or web page. \n \n--- \n \n### Solution\n\nUpgrade to IE 6, or apply the patch from Microsoft, available at: \n\n\n<http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp> \nNote: The above patch has been superseded by the IE 5.5 patches discussed in [MS01-027](<http://www.microsoft.com/technet/security>). A cumulative patch for this and other vulnerabilities is discussed in [MS02-023](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp>). \n \n--- \n \n \nIt has been reported that upgrading to the latest version of Windows Media Player is an additional means to protect yourself from this problem. Although this appears to protect you from a specific way to exploit this vulnerability, we do not believe it is a general purpose fix. Disabling File Downloading in all of your Security Zones will also mitigate against the risks posed by the vulnerability. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nLotus Software| | 30 Mar 2001| 05 Apr 2001 \nMicrosoft Corporation| | -| 17 Jul 2002 \nCyrusoft| | 30 Mar 2001| 30 Mar 2001 \nNetscape Communications Corporation| | 30 Mar 2001| 12 Apr 2001 \nOpera Software| | 30 Mar 2001| 02 Apr 2001 \nQUALCOMM| | 30 Mar 2001| 30 Mar 2001 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23980499 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.cert.org/advisories/CA-2001-06.html>\n * <http://www.cert.org/advisories/CA-2001-26.html>\n * <http://www.microsoft.com/technet/security/bulletin/MS01-020.asp>\n * <http://www.microsoft.com/technet/security/bulletin/MS01-027.asp>\n * <http://support.microsoft.com/support/kb/articles/Q299/6/18.ASP>\n * <http://support.microsoft.com/support/kb/articles/Q290/1/08.ASP>\n * <http://www.kriptopolis.com/>\n * <http://www.faqs.org/rfcs/rfc2387.html>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0154>\n * <http://www.securityfocus.com/bid/2524>\n * <http://www.securitytracker.com/alerts/2001/Mar/1001197.html>\n * <http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp>\n * <http://www.ietf.org/rfc/rfc2045.txt>\n\n### Credit\n\nMicrosoft has acknowledged Juan Carlos Cuartango as bringing this issue to their attention.\n\nThis document was written by Jeffrey S. Havrilla and Shawn V. Hernan. \n\n### Other Information\n\n * CVE IDs: [CVE-2001-0154](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0154>)\n * CERT Advisory: [CA-2001-06](<http://www.cert.org/advisories/CA-2001-06.html>)\n * Date Public: 29 Mar 2001\n * Date First Published: 30 Mar 2001\n * Date Last Updated: 05 Mar 2004\n * Severity Metric: 60.75\n * Document Revision: 40\n\n", "edition": 4, "reporter": "CERT", "published": "2001-03-30T00:00:00", "title": "Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2001-0154", "CVE-2001-0154", "CVE-2001-0154"], "modified": "2004-03-05T00:00:00", "id": "VU:980499", "href": "https://www.kb.cert.org/vuls/id/980499", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMicrosoft Security Bulletin: MS01-020\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-04/0016.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-03/0474.html\nISS X-Force ID: 6306\n[CVE-2001-0154](https://vulners.com/cve/CVE-2001-0154)\nCIAC Advisory: l-066\nCERT VU: 980499\nCERT: CA-2001-06\nBugtraq ID: 2524\n", "reporter": "OSVDB", "published": "2001-03-30T00:00:00", "title": "Microsoft IE HTML E-mail Feature Unusual MIME Type Command Execution", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2001-0154"], "modified": "2001-03-30T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7806", "id": "OSVDB:7806", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "references": [], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCERT Advisory CA-2001-06 Automatic Execution of Embedded MIME Types\r\n\r\n Original release date: April 03, 2001\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history can be found at the end of this file.\r\n\r\nSystems Affected\r\n\r\n * All versions of Microsoft Internet Explorer 5.5 SP1 or earlier,\r\n except IE 5.01 SP2\r\n * Any software which utilizes vulnerable versions of Internet\r\n Explorer to render HTML\r\n\r\nOverview\r\n\r\n Microsoft Internet Explorer has a vulnerability triggered when parsing\r\n MIME parts in a document that allows a malicious agent to execute\r\n arbitrary code. Any user or program that uses vulnerable versions of\r\n Internet Explorer to render HTML in a document (for example, when\r\n browsing a filesystem, reading email or news messages, or visiting a\r\n web page), should immediately upgrade to a non-vulnerable version of\r\n Internet Explorer.\r\n\r\nI. Description\r\n\r\n There exists in Internet Explorer a table which is used to determine\r\n how IE handles MIME types when it encounters MIME parts in any type of\r\n HTML document, be it email message, newsgroup posting, web page, or\r\n local file. This table contains a set of entries that cause Internet\r\n Explorer to open the MIME part without giving the end user the\r\n opportunity to decide if the MIME part should be opened. This\r\n vulnerability allows an intruder to construct malicious content that,\r\n when viewed in Internet Explorer (or any program that uses the IE HTML\r\n rendering engine), can execute arbitrary code. It is not necessary to\r\n run an attachment; simply viewing the document in a vulnerable program\r\n is sufficient to execute arbitrary code.\r\n\r\n For more details, see Microsoft Security Bulletin MS01-020 on this\r\n topic at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-020.asp\r\n\r\n There have been reports that simply previewing HTML content (as in a\r\n mail client or filesystem browser) is sufficient to trigger the\r\n vulnerability. The impact of viewing malicious code in this manner is\r\n being evaluated.\r\n\r\n The CERT/CC is currently unaware of any reports of this vulnerability\r\n being used to successfully attack a system. Demonstration code\r\n exploiting this vulnerability has been published in several public\r\n forums. This vulnerability is being referenced in CVE as CAN-2001-0154\r\n and by the CERT/CC as VU#980499.\r\n\r\nII. Impact\r\n\r\n Attackers can cause arbitrary code to be executed on a victim's system\r\n by embedding the code in a malicious email, or news message, or web\r\n page.\r\n\r\nIII. Solution\r\n\r\nApply the patch from Microsoft\r\n\r\n Apply the patch from Microsoft, available at:\r\n\r\n http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp\r\n\r\n As noted in the 'Caveats' section of the Microsoft advisory, end users\r\n must apply this patch to supported versions of Microsoft's browser.\r\n This means IE must be upgraded to IE 5.01 Service Pack 1 or IE 5.5\r\n Service Pack 1 before users can apply this patch. Users who have not\r\n previously upgraded will incorrectly receive a message stating that\r\n they do not need to apply this patch, even though they are vulnerable.\r\n Users are advised to upgrade to IE 5.5 SP1, IE 5.01 SP1 or SP2 (which\r\n has this patch incorporated in it) and apply the appropriate patch.\r\n\r\n An excerpt from MS01-020:\r\n\r\n Caveats:\r\n If the patch is installed on a system running a version of IE other\r\n than the one it is designed for, an error message will be displayed\r\n saying that the patch is not needed. This message is incorrect, and\r\n customers who see this message should upgrade to a supported version\r\n of IE and re-install the patches.\r\n\r\nAppendix A. - Vendor Information\r\n\r\n This appendix contains information provided by vendors for this\r\n advisory. When vendors report new information to the CERT/CC, we\r\n update this section and note the changes in our revision history. If a\r\n particular vendor is not listed below, we have not received their\r\n comments.\r\n\r\n\r\nCyrusoft International, Inc.\r\n\r\n Mulberry does not use Internet Explorer to render HTML within Mulberry\r\n itself and is not vulnerable to these kinds of problems. Users can\r\n save HTML attachments to disk and then view those in browsers\r\n susceptible to this problem, but this requires the direct intervention\r\n of the user to explicitly save to disk - simply viewing HTML in\r\n Mulberry does not expose users to these kinds of problems.\r\n\r\n Our HTML rendering is a basic styled-text only renderer that does not\r\n execute any form of scripts. This is true on all the platforms we\r\n support: Win32, Mac OS (Classic & X), Solaris, linux.\r\n\r\n An official statement about this is available on our website at:\r\n\r\n http://www.cyrusoft.com/mulberry/htmlsecurity.html\r\n\r\n\r\nLotus Development Corporation\r\n\r\n Notes does not use IE to render HTML-formatted mail messages.\r\n\r\n\r\nMicrosoft Corporation\r\n\r\n Please see the advisory (MS01-020, "Incorrect MIME Header Can Cause IE\r\n to Execute E-mail Attachment") related to this issue at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS01-020.asp\r\n\r\n A patch is available for this issue at:\r\n\r\n http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp\r\n\r\n\r\nNetscape Communications Corporation\r\n\r\n Netscape is currently investigating the impact this vulnerability, if\r\n any, has on users of the Netscape browser.\r\n\r\n\r\nOpera Software\r\n\r\n Opera does not use Internet Explorer or any other external software to\r\n render HTML.\r\n\r\n\r\nQUALCOMM Incorporated\r\n\r\n It is unclear at this time what impact, if any, this vulnerability has\r\n on Eudora clients.\r\n\r\n\r\nAppendix B. - References\r\n\r\n 1. Havrilla, J., and Hernan, S., "CERT Vulnerability Note VU#980499:\r\n Certain MIME types can cause Internet Explorer to execute\r\n arbitrary code when rendering HTML", March 2001.\r\n https://www.kb.cert.org/vuls/id/980499\r\n _________________________________________________________________\r\n\r\n Microsoft has acknowledged Juan Carlos Cuartango for bringing this\r\n issue to their attention.\r\n\r\n This document was written by Jeffrey S. Havrilla and Shawn V. Hernan.\r\n If you have feedback, comments, or additional information about this\r\n issue, please send us email.\r\n ______________________________________________________________________\r\n \r\n This document is available from:\r\n http://www.cert.org/advisories/CA-2001-06.html\r\n ______________________________________________________________________\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 (24-hour hotline)\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)\r\n Monday through Friday; they are on call for emergencies during other\r\n hours, on U.S. holidays, and on weekends.\r\n\r\nUsing encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\nGetting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * "CERT" and "CERT Coordination Center" are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an "as is" basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2001 Carnegie Mellon University.\r\n\r\n Revision History\r\nApril 03, 2001: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP for Personal Privacy 5.0\r\nCharset: noconv\r\n\r\niQCVAwUBOsoNNQYcfu8gsZJZAQFd3gQAkCKdIcdKJ/gaii0odrJdM/jlZUv7MYYf\r\nR8LUHkV1dUTxEI/SRrKtAoEsf/UVVgZI4PGBB/pyptkmSv2axMWf4AD1Ubful712\r\nojVaHG7hJuV5RNiw2yE/R4AoWZ5GbdaQByYWpCB+OfwNzsz/7MYibjI6xUtvqRvV\r\nJxYMB6q5TqM=\r\n=B0Bv\r\n-----END PGP SIGNATURE-----", "edition": 1, "reporter": "Securityvulns", "published": "2001-04-04T00:00:00", "title": "Advisory CA-2001-06", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:04", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2001-0154"], "modified": "2001-04-04T00:00:00", "id": "SECURITYVULNS:DOC:1460", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1460", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-22T16:31:15", "references": ["http://vil.nai.com/vil/content/v_99728.htm", "http://online.securityfocus.com/news/1034", "http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx", "http://www.ealaddin.com/news/2002/esafe/bugbear.asp", "2001-a-0004", "http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html", "http://www.sophos.com/virusinfo/analyses/w32bugbeara.html", "http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&"], "pluginID": "136141256231011135", "description": "BugBear backdoor is listening on this port.\nA cracker may connect to it to retrieve secret\ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill\nantivirus or personal firewall software. It propagates\nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos,\nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\nWORM_BUGBEAR.A, Win32.BugBear...", "edition": 6, "reporter": "This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke", "published": "2005-11-03T00:00:00", "title": "Bugbear worm", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Malware", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0154"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:136141256231011135", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011135", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: bugbear.nasl 11885 2018-10-12 13:47:20Z cfischer $\n# Description: Bugbear worm\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and\n# heavily hacked every byte of it :-]\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi & Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n# There was no information on the BugBear protocol.\n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the\n# same way.\n# We will not provide the full data here because it might contain\n# confidential information.\n#\n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11135\");\n script_version(\"$Revision: 11885 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 15:47:20 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0004\");\n script_bugtraq_id(2524);\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Bugbear worm\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke\");\n script_family(\"Malware\");\n script_require_ports(36794);\n script_dependencies(\"find_service.nasl\");\n script_tag(name:\"solution\", value:\"- Use an Anti-Virus package to remove it.\n\n - Close your Windows shares\n\n - Update your IE browser\n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"summary\", value:\"BugBear backdoor is listening on this port.\nA cracker may connect to it to retrieve secret\ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill\nantivirus or personal firewall software. It propagates\nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos,\nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\nWORM_BUGBEAR.A, Win32.BugBear...\");\n\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx\");\n script_xref(name:\"URL\", value:\"http://www.sophos.com/virusinfo/analyses/w32bugbeara.html\");\n script_xref(name:\"URL\", value:\"http://www.ealaddin.com/news/2002/esafe/bugbear.asp\");\n script_xref(name:\"URL\", value:\"http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\");\n script_xref(name:\"URL\", value:\"http://vil.nai.com/vil/content/v_99728.htm\");\n script_xref(name:\"URL\", value:\"http://online.securityfocus.com/news/1034\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is\n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_message(port);\n register_service(port: port, proto: \"bugbear\");\n exit(0);\n}\n\nmsg = \"\nThis port is usually used by the BugBear backdoor.\nAlthough OpenVAS was unable to get an answer from the worm,\nyou'd better check your machine with an up to date\nantivirus scanner.\";\nsecurity_message(port: port, data: msg);\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:09:10", "references": ["2001-a-0004"], "pluginID": "11135", "description": "BugBear backdoor is listening on this port. \nA cracker may connect to it to retrieve secret \ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill \nantivirus or personal firewall softwares. It propagates \nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos, \nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, \nWORM_BUGBEAR.A, Win32.BugBear...\n\nhttp://www.sophos.com/virusinfo/analyses/w32bugbeara.html\nhttp://www.ealaddin.com/news/2002/esafe/bugbear.asp\nhttp://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\nhttp://vil.nai.com/vil/content/v_99728.htm\n\nReference : http://online.securityfocus.com/news/1034\nReference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&", "edition": 1, "reporter": "This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke", "published": "2005-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Bugbear worm", "type": "openvas", "naslFamily": "Malware", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0154"], "modified": "2017-05-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=11135", "id": "OPENVAS:11135", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: bugbear.nasl 6125 2017-05-15 09:03:42Z teissa $\n# Description: Bugbear worm\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and \n# heavily hacked every byte of it :-]\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi & Thomas Reinke\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"BugBear backdoor is listening on this port. \nA cracker may connect to it to retrieve secret \ninformation, e.g. passwords or credit card numbers...\n\nThe BugBear worm includes a key logger and can kill \nantivirus or personal firewall softwares. It propagates \nitself through email and open Windows shares.\nDepending on the antivirus vendor, it is known as: Tanatos, \nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, \nWORM_BUGBEAR.A, Win32.BugBear...\n\nhttp://www.sophos.com/virusinfo/analyses/w32bugbeara.html\nhttp://www.ealaddin.com/news/2002/esafe/bugbear.asp\nhttp://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear@mm.html\nhttp://vil.nai.com/vil/content/v_99728.htm\n\nReference : http://online.securityfocus.com/news/1034\nReference : http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\";\n\ntag_solution = \"- Use an Anti-Virus package to remove it.\n- Close your Windows shares\n- Update your IE browser \n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\n http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx\";\n\n# There was no information on the BugBear protocol. \n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the \n# same way. \n# We will not provide the full data here because it might contain \n# confidential information.\n# \n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n\nif(description)\n{\n script_id(11135);\n script_version(\"$Revision: 6125 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-15 11:03:42 +0200 (Mon, 15 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0004\");\n script_bugtraq_id(2524);\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_name(\"Bugbear worm\");\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n \n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi & Thomas Reinke\");\n family = \"Malware\";\n script_family(family);\n script_require_ports(36794);\n script_dependencies(\"find_service.nasl\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is \n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_message(port); \n register_service(port: port, proto: \"bugbear\");\n exit(0); \n}\n\nmsg = \"\nThis port is usually used by the BugBear backdoor.\nAlthough OpenVAS was unable to get an answer from the worm, \nyou'd better check your machine with an up to date \nantivirus scanner.\";\nsecurity_message(port: port, data: msg);\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-11-16T16:49:31", "references": ["http://vil.nai.com/vil/content/v_99728.htm", "http://www.nessus.org/u?db7425b2", "http://www.nessus.org/u?45f1d49b", "https://www.sophos.com/en-us/search-results.aspx?search=w32bugbeara&refine=7edf01e4de3c4c8791a56ba6ce685d09", "https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-020", "http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&"], "pluginID": "11135", "description": "The BugBear backdoor is listening on this port. An attacker may connect to it to retrieve secret information such as passwords, credit card numbers, etc.\n\nThe BugBear worm includes a keylogger and can kill antivirus and firewall software. It propagates through email and open Windows shares.\n\nDepending on the antivirus vendor, it is known as Tanatos, I-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM, WORM_BUGBEAR.A, Win32.BugBear...", "edition": 6, "reporter": "Tenable", "published": "2002-10-03T00:00:00", "title": "Bugbear Worm Detection", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Backdoors", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0154"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "BUGBEAR.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11135", "sourceData": "#\n# This script was written by Michel Arboi <arboi@alussinan.org>\n# Well, in fact I started from a simple script by Thomas Reinke and\n# heavily hacked every byte of it :-]\n#\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: this domain no longer exists)\n# Added links to the Bugtraq message archive and Microsoft Knowledgebase\n#\n# There was no information on the BugBear protocol.\n# I found a worm in the wild and found that it replied to the \"p\" command;\n# the data look random but ends with \"ID:\" and a number\n# Thomas Reinke confirmed that his specimen of the worm behaved in the\n# same way.\n# We will not provide the full data here because it might contain\n# confidential information.\n#\n# References:\n#\n# Date: Tue, 1 Oct 2002 02:07:29 -0400\n# From:\"Russ\" <Russ.Cooper@RC.ON.CA>\n# Subject: Alert:New worms, be aware of internal infection possibilities\n# To:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM\n#\n\n# Changes by Tenable:\n# - Revised plugin title (12/28/10)\n# - Add MSKB script_xref (8/29/17)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11135);\n script_version(\"1.37\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\n\n script_cve_id(\"CVE-2001-0154\"); # For MS01-020 - should be changed later\n script_bugtraq_id(2524);\n script_xref(name:\"MSFT\", value:\"MS01-020\");\n script_xref(name:\"MSKB\", value:\"290108\");\n script_xref(name:\"MSKB\", value:\"329770\");\n\n script_name(english:\"Bugbear Worm Detection\");\n script_summary(english:\"Detect Bugbear worm\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has been compromised.\");\n script_set_attribute(attribute:\"description\", value:\n\"The BugBear backdoor is listening on this port. An attacker may\nconnect to it to retrieve secret information such as passwords,\ncredit card numbers, etc.\n\nThe BugBear worm includes a keylogger and can kill antivirus and\nfirewall software. It propagates through email and open Windows\nshares.\n\nDepending on the antivirus vendor, it is known as Tanatos,\nI-Worm.Tanatos, NATOSTA.A, W32/Bugbear-A, Tanatos, W32/Bugbear@MM,\nWORM_BUGBEAR.A, Win32.BugBear...\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.sophos.com/en-us/search-results.aspx?search=w32bugbeara&refine=7edf01e4de3c4c8791a56ba6ce685d09\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db7425b2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?45f1d49b\");\n script_set_attribute(attribute:\"see_also\", value:\"http://vil.nai.com/vil/content/v_99728.htm\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.microsoft.com/default.aspx?scid=KB;en-us;329770&\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-020\");\n script_set_attribute(attribute:\"solution\", value:\n\"- Use an Antivirus package to remove it.\n- Close your Windows shares\n- Update your IE browser\n See 'Incorrect MIME Header Can Cause IE to Execute E-mail Attachment'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/10/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Michel Arboi & Thomas Reinke\");\n script_family(english:\"Backdoors\");\n script_require_ports(36794);\n script_dependencies(\"find_service1.nasl\");\n exit(0);\n}\n\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = 36794;\n\nif (! get_port_state(port)) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(0);\n\n# We just need to send a 'p' without CR\nsend(socket: soc, data: \"p\");\n# I never saw a buffer bigger than 247 bytes but as the \"ID:\" string is\n# near the end, we'd better use a big buffer, just in case\nr = recv(socket: soc, length: 65536);\nclose(soc);\n\nif (\"ID:\" >< r) {\n security_hole(port);\n register_service(port: port, proto: \"bugbear\");\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
