Vulnerability Name:

CVE-2005-2127 (CCN-21895)

Assigned:2005-08-17
Published:2005-08-17
Updated:2018-10-19
Summary:Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."
CVSS v3 Severity:5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2005-2127

Source: MISC
Type: Third Party Advisory
http://isc.sans.org/diary.php?date=2005-08-18

Source: CCN
Type: SA16480
Microsoft Windows COM Object Instantiation Memory Corruption Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
16480

Source: CCN
Type: SA17172
Avaya Various Products Multiple Vulnerabilities

Source: SECUNIA
Type: Permissions Required, Third Party Advisory
17172

Source: CCN
Type: SA17223
Nortel Centrex IP Client Manager Multiple Vulnerabilities

Source: SECUNIA
Type: Permissions Required, Third Party Advisory
17223

Source: CCN
Type: SA17509
Nortel CallPilot Multiple Vulnerabilities

Source: SECUNIA
Type: Permissions Required, Third Party Advisory
17509

Source: SREASON
Type: Third Party Advisory
72

Source: CCN
Type: SECTRACK ID: 1014727
Microsoft `msdds.dll` COM Object Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory
1014727

Source: CONFIRM
Type: Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf

Source: CCN
Type: US-CERT VU#740372
Microsoft DDS Library Shape Control (msdds.dll) COM object contains an unspecified vulnerability

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#740372

Source: CCN
Type: US-CERT VU#898241
Microsoft BlnMgr Proxy (blnmgrps.dll) COM object fails to implement required methods

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#898241

Source: CCN
Type: US-CERT VU#959049
Multiple COM objects cause memory corruption in Microsoft Internet Explorer

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#959049

Source: CCN
Type: Microsoft Security Advisory (906267)
A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit

Source: MISC
Type: Mitigation, Patch, Vendor Advisory
http://www.microsoft.com/technet/security/advisory/906267.mspx

Source: CCN
Type: Microsoft Security Bulletin MS05-052
Cumulative Security Update for Internet Explorer (896688)

Source: CCN
Type: Security Advisory P-2005-0056-Global
Nortel Networks: Log In Required

Source: BUGTRAQ
Type: UNKNOWN
20070606 IE 6/Microsoft Html Popup Window (mshtml.dll) DoS

Source: BID
Type: Exploit, Patch, Third Party Advisory, VDB Entry
14594

Source: CCN
Type: BID-14594
Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability

Source: BID
Type: Third Party Advisory, VDB Entry
15061

Source: CCN
Type: BID-15061
Microsoft Internet Explorer COM Object Instantiation Variant Vulnerability

Source: CERT
Type: Third Party Advisory, US Government Resource
TA05-284A

Source: CERT
Type: Third Party Advisory, US Government Resource
TA05-347A

Source: CERT
Type: Third Party Advisory, US Government Resource
TA06-220A

Source: VUPEN
Type: Broken Link
ADV-2005-1450

Source: MS
Type: UNKNOWN
MS05-052

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Microsoft Internet Explorer DHTML object buffer overflow

Source: XF
Type: UNKNOWN
Win-msdds-command-execution(21895)

Source: XF
Type: VDB Entry
Win-msdss-command-execution(21895)

Source: XF
Type: VDB Entry
microsoft-ie-mshtml-dos(34754)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1155

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1454

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1464

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1468

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1535

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1538

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ati:catalyst_driver:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:1.1:-:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:1.1:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:1.1:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:.net_framework:1.1:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:*:*:ja:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:*:*:ko:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:*:*:zh:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:2000:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:xp:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:xp:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:office:xp:sp3:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:98:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2000:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2002:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2003:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:project:2003:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visio:2000:sr1:*:*:enterprise:*:*:*
  • OR cpe:/a:microsoft:visio:2002:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visio:2002:*:*:*:professional:*:*:*
  • OR cpe:/a:microsoft:visio:2002:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visio:2002:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visio:2002:sp2:*:*:professional:*:*:*
  • OR cpe:/a:microsoft:visio:2002:sp2:*:*:standard:*:*:*
  • OR cpe:/a:microsoft:visio:2003:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visio:2003:*:*:*:professional:*:*:*
  • OR cpe:/a:microsoft:visio:2003:*:*:*:standard:*:*:*
  • OR cpe:/a:microsoft:visio:2003:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:2002:gold:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:2003:*:*:*:enterprise_architect:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:2003:gold:*:*:*:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:gold:*:*:*:academic:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:gold:*:*:*:enterprise_architect:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:gold:*:*:*:enterprise_developer:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:gold:*:*:*:professional:*:*:*
  • OR cpe:/a:microsoft:visual_studio_.net:gold:*:*:*:trial:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_98:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_98se:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_me:*:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.5:sp2:*:*:*:*:*:*
  • OR cpe:/a:microsoft:ie:6.0:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*
  • OR cpe:/a:microsoft:internet_explorer:5.01:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:-::~~~~itanium~:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/a:microsoft:windows_2003:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:nortel:callpilot:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:1155
    V
    		WinXP,SP1 (64-bit) DDS Library Shape Control Buffer Overflow
    2011-05-16
    oval:org.mitre.oval:def:1535
    V
    		Win2k,SP4 DDS Library Shape Control Buffer Overflow
    2011-05-16
    oval:org.mitre.oval:def:1454
    V
    		Server 2003 DDS Library Shape Control Buffer Overflow
    2011-05-16
    oval:org.mitre.oval:def:1538
    V
    		Win2K/XP,SP1 DDS Library Shape Control Buffer Overflow
    2011-05-16
    oval:org.mitre.oval:def:1464
    V
    		Server 2003,SP1 DDS Library Shape Control Buffer Overflow
    2011-05-16
    oval:org.mitre.oval:def:1468
    V
    		WinXP,SP2 DDS Library Shape Control Buffer Overflow
    2011-05-16
    BACK
    ati catalyst driver *
    microsoft .net framework 1.1
    microsoft .net framework 1.1 sp1
    microsoft .net framework 1.1 sp2
    microsoft .net framework 1.1 sp3
    microsoft office *
    microsoft office 2000
    microsoft office 2000
    microsoft office 2000
    microsoft office 2000
    microsoft office 2000 sp1
    microsoft office 2000 sp2
    microsoft office 2000 sp3
    microsoft office xp sp1
    microsoft office xp sp2
    microsoft office xp sp3
    microsoft project 98
    microsoft project 2000
    microsoft project 2002
    microsoft project 2002 sp1
    microsoft project 2003
    microsoft project 2003 sp1
    microsoft visio 2000 sr1
    microsoft visio 2002
    microsoft visio 2002
    microsoft visio 2002 sp1
    microsoft visio 2002 sp2
    microsoft visio 2002 sp2
    microsoft visio 2002 sp2
    microsoft visio 2003
    microsoft visio 2003
    microsoft visio 2003
    microsoft visio 2003 sp1
    microsoft visual studio .net 2002 gold
    microsoft visual studio .net 2003
    microsoft visual studio .net 2003 gold
    microsoft visual studio .net gold
    microsoft visual studio .net gold
    microsoft visual studio .net gold
    microsoft visual studio .net gold
    microsoft visual studio .net gold
    microsoft windows 98 *
    microsoft windows 98se *
    microsoft windows me *
    microsoft ie 6.0
    microsoft ie 5.5 sp2
    microsoft ie 6.0 sp1
    microsoft windows xp - sp1
    microsoft ie 5.01 sp4
    microsoft windows 2000 - sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003 server -
    microsoft windows 2003_server sp1
    microsoft windows 2003_server sp1_itanium
    microsoft windows 2003 *
    nortel callpilot *