安全研究

安全漏洞
Microsoft Windows ANI文件解析远程缓冲区溢出漏洞(MS05-002/KB891711)

发布日期:2005-01-11
更新日期:2005-01-12

受影响系统:
Microsoft Windows XP Professional SP1
Microsoft Windows XP Home SP1
Microsoft Windows NT 4.0SP6a
Microsoft Windows 2003
Microsoft Windows 2000SP4
Microsoft Windows 2000SP3
描述:
BUGTRAQ  ID: 12233
CVE(CAN) ID: CVE-2004-1049

Windows是Microsoft公司开发的视窗操作系统。

Windows处理动画光标文件时存在问题,远程攻击者可以利用这个漏洞构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。

问题存在于USER32.dll处理.ani文件时,ANI部分文件格式如下:

"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}

一般来说,AnimationHeaderBlock长度是36字节(0x00000024),此漏洞就是在处理Length_of_AnimationHeader字段上,为了拷贝AnimationHeaderBlock的内容,这个值会作为长度参数传递给memcpy(),但是这个值没有正确的进行检查,超长的参数可导致覆盖返回地址,并以进程权限执行任意指令。

由于动画光标文件可提供给Internet Explorer使用,所以攻击者可以构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。

<*来源:Yuji Ukai
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110547079218397&w=2
        http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
        http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
*>

建议:
厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS05-002)以及相应补丁:
MS05-002:Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)
链接:http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx

补丁下载:

Microsoft Windows NT Server 4.0 Service Pack 6a

http://www.microsoft.com/downloads/details.aspx?FamilyId=4604400A-287E-48CC-91B1-BEE44EEA588C

Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

http://www.microsoft.com/downloads/details.aspx?FamilyId=94A0B521-4C39-4D15-AA80-068C30476E6F

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4

http://www.microsoft.com/downloads/details.aspx?FamilyId=722C6C65-3F6C-4029-8EB7-D4612A785E78

Microsoft Windows XP Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=8850954D-57D9-4D23-9AA1-1CCF6085A057

Microsoft Windows XP 64-Bit Edition Service Pack 1

http://www.microsoft.com/downloads/details.aspx?FamilyId=2325700F-7931-4B0C-A978-BCFF469B8061

Microsoft Windows XP 64-Bit Edition Version 2003

http://www.microsoft.com/downloads/details.aspx?FamilyId=16A52196-0BD0-4355-9F29-2B26CB0961AF

Microsoft Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?FamilyId=CBCCADF6-449A-4D74-937D-4087A6E6C1C2

Microsoft Windows Server 2003 64-Bit Edition

http://www.microsoft.com/downloads/details.aspx?FamilyId=16A52196-0BD0-4355-9F29-2B26CB0961AF

浏览次数:4921
严重程度:10(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障