{"id": "SECURITYVULNS:DOC:4457", "bulletinFamily": "software", "title": "Buffer overflow in Internet Explorer's HTTP parsing code", "description": "\r\n\r\n\r\nOVERVIEW\r\n========\r\n\r\nThe code used in Microsoft Internet Explorer to parse web servers' HTTP \r\nreplies contains a buffer overflow vulnerability. Specifically the faulty \r\ncode is located in URLMON.DLL. A malicious user may exploit this \r\nvulnerability to execute arbitrary code on an IE user's system.\r\n\r\n\r\n\r\nDETAILS\r\n=======\r\n\r\nHTTP is the protocol used in communication between web servers and web \r\nbrowsers. When a web page is viewed, the browser sends a HTTP request to \r\nthe server in question. The server then sends a HTTP reply which usually \r\ncontains the web page the browser requested. In addition to the \r\ndocument body which is shown to the user, the HTTP reply contains some \r\nheader fields which e.g. specify how the document should be presented to \r\nthe user.\r\n\r\nDue to missing or insufficient input validation, a buffer overflow \r\ntakes place in Internet Explorer when it receives a HTTP reply \r\nwith excessively long values in certain header fields. A buffer placed \r\non stack gets overrun and a malicious reply may overwrite data, \r\nincluding the subroutine's return address, and thus direct the program \r\nexecution to an arbitrary address. The vulnerability is a traditional \r\nstack-based buffer overflow and relatively easy to exploit.\r\n\r\nThis vulnerability can be used by an attacker to run any code in the \r\nsystem of the victim viewing a special web page with Internet Explorer or \r\nreading mail with Outlook or Outlook Express. More details will be \r\npublished later.\r\n\r\n\r\n\r\nSOLUTION\r\n========\r\n\r\nThe vendor was informed about the bug on March 16, 2003. Microsoft has \r\nclassified this vulnerability as critical and published a bulletin \r\nand patch correcting the issue. These are available at\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS03-015.asp\r\n\r\nThe information in the "Mitigating factors" section of Microsoft's \r\nbulletin claiming that this vulnerability isn't exploitable by e-mail \r\nborne attacks is incorrect. Test exploits have been produced for \r\nWWW, Outlook, and Outlook Express attack scenarios. In each of the \r\ncases, the exploit code runs without further user interaction on the \r\nvictim system. Furthermore, no e-mail attachments or any kind of \r\nscripting are needed since the attack can be carried out via a standard \r\nHTML. In fact merely starting the e-mail program can lead to exploitation \r\nbecause (depending on configuration) it may automatically open the first \r\nnew message.\r\n\r\n\r\n\r\nCREDITS\r\n=======\r\n\r\nThe vulnerability was discovered by Jouko Pynnönen of Oy Online Solutions \r\nLtd, Finland. It was demonstrated on 25th April at Kontakti.net's \r\n"Tekninen Tietoturva" seminar in Helsinki.\r\n\r\n\r\n\r\n-- \r\nJouko Pynnonen Online Solutions Ltd Secure your Linux -\r\njouko@solutions.fi http://www.solutions.fi http://www.secmod.com\r\n\r\n", "published": "2003-04-28T00:00:00", "modified": "2003-04-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4457", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:07", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 6.6, "vector": "NONE", "modified": "2018-08-31T11:10:07", "rev": 2}, "dependencies": {"references": [{"type": "msupdate", "idList": ["MS:8A73F701-8CA9-4457-A2C3-61776F288DAE", "MS:D7F5DCCC-0F27-4C2C-976E-A82E237D2238", "MS:25EB43CE-D336-40BA-856C-4CA301FFDCE8", "MS:2E47E7D9-0FE8-4457-8140-CACDA9AC2E20"]}, {"type": "mskb", "idList": ["KB3114833", "KB3071088"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2018-15587", "CVE-2017-4457", "CVE-2019-4457", "CVE-2019-15108", "CVE-2015-9286", "CVE-2008-7273", "CVE-2015-4457", "CVE-2008-7272"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4457.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704457"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4457-1:F2BE2"]}, {"type": "github", "idList": ["GHSA-C43V-HRMG-56R4"]}, {"type": "openbugbounty", "idList": ["OBB:332082"]}], "modified": "2018-08-31T11:10:07", "rev": 2}, "vulnersScore": 6.6}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **eliettoo[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:DE6638F6-4457-3119-8DA4-16CB4332BCCD", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: eliettoo.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **safety[.]apple.com.auhbtvbzqh.u7trivcw1bu6zuqxyeck403ohztv9mbubw.review** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:CB97779C-4457-3A08-BE95-5300A224DF04", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: safety.apple.com.auhbtvbzqh.u7trivcw1bu6zuqxyeck403ohztv9mbubw.review", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **coourieroffice[.]000webhostapp.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **25**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 145[.]14.144.97 and CNAME records: us-east-1.route-1.000webhost.awex.io.\nWhois:\n Created: 2016-05-11 13:34:12, \n Registrar: Hostinger UAB, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:9A183805-4457-3207-A253-67CD1030A471", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: coourieroffice.000webhostapp.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **toutmessenger[.]free.fr** in [RST Threat Feed](https://rstcloud.net/profeed) with score **25**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 212[.]27.63.113 and CNAME records: perso113-g5.free.fr.\nWhois:\n Created: 1999-03-15 17:36:09, \n Registrar: unknown, \n Registrant: Free SAS.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:60209708-4457-3F47-B3F1-9555F7BEE29C", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: toutmessenger.free.fr", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **fpeaces[.]net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:CBF0B4E6-4457-3166-AC9C-2B85FF7132EC", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: fpeaces.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://crudtest[.]srintegrated.com/tsbd42xu.zip** in [RST Threat Feed](https://rstcloud.net/profeed) with score **60**.\n First seen: 2021-01-11T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **malware**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-11T00:00:00", "id": "RST:675734E6-4457-31DC-B5B3-DB05BE4F6000", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: https://crudtest.srintegrated.com/tsbd42xu.zip", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **ns1[.]batuhankaygusuz.com.tr** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3915E310-4457-38FB-B143-DA82404D73AD", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: ns1.batuhankaygusuz.com.tr", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **159[.]192.250.123** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **24**.\n First seen: 2020-12-26T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nASN 131090: (First IP 159.192.208.0, Last IP 159.192.255.255).\nASN Name \"CATIDC4BYTENETASAP\" and Organisation \"CAT TELECOM Public Company LtdCAT\".\nASN hosts 295 domains.\nGEO IP information: City \"Bangkok\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-26T00:00:00", "id": "RST:7EB2EDDD-4457-30C6-B57A-50B01D14B231", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: 159.192.250.123", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **publiconews[.]com.br** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:7E0D7FE1-4457-3C34-8FB8-FC74ABFA65C3", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: publiconews.com.br", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **top-22[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-24T03:00:00, Last seen: 2021-01-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-24T00:00:00", "id": "RST:F30106FB-4457-32E4-806C-893D5F2A878D", "href": "", "published": "2021-01-15T00:00:00", "title": "RST Threat feed. IOC: top-22.ru", "type": "rst", "cvss": {}}], "msupdate": [{"lastseen": "2021-01-12T22:37:01", "bulletinFamily": "microsoft", "cvelist": [], "description": "Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.", "edition": 1, "modified": "2021-01-12T18:00:06", "id": "MS:75A57E55-829F-460D-9A92-C91409E6A0F1", "href": "https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=75a57e55-829f-460d-9a92-c91409e6a0f1", "published": "2021-01-12T18:00:06", "title": "2021-01 Servicing Stack Update for Windows 10 Version 2004 for x86-based Systems (KB4598481)", "type": "msupdate", "cvss": {"score": 0.0, "vector": "NONE"}}]}