CVE-2004-0214 |
|
发布时间 :2004-11-03 00:00:00 | ||
修订时间 :2017-10-10 21:29:24 | ||||
NMCOEPS |
[原文]Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.
[CNNVD]Microsoft Windows超长共享名缓冲区溢出漏洞(CNNVD-200411-002)
Microsoft Windows是微软开发的视窗操作系统。
Microsoft Windows的资源管理员和IE浏览器在处理超长共享名时缺少正确边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
Windows在当访问远程文件服务器如samba时不正确处理超长共享名,允许恶意服务器构建畸形超长的共享名,诱使用户使用资源管理员和IE浏览器查看时,可触发缓冲区溢出,精心构建共享名数据,可能以进程权限执行任意指令。
- CVSS (基础分值)
CVSS分值: | 10 | [严重(HIGH)] |
机密性影响: | [--] | |
完整性影响: | [--] | |
可用性影响: | [--] | |
攻击复杂度: | [--] | |
攻击向量: | [--] | |
身份认证: | [--] |
- CPE (受影响的平台与产品)
cpe:/a:microsoft:ie:6.0.2900 | Microsoft Internet Explorer 6.0.2900 |
cpe:/o:microsoft:windows_2000 | Microsoft Windows 2000 |
cpe:/o:microsoft:windows_98::gold | Microsoft windows 98_gold |
cpe:/o:microsoft:windows_me | Microsoft Windows ME |
cpe:/o:microsoft:windows_xp::sp1:tablet_pc | Microsoft windows xp_sp1 tablet_pc |
- OVAL (用于检测的技术细节)
oval:org.mitre.oval:def:5307 | Windows XP Long Share Names Vulnerability |
oval:org.mitre.oval:def:4345 | Windows 2000 Long Share Names Vulnerability |
oval:org.mitre.oval:def:2638 | Windows 98 Long Share Names Vulnerability |
oval:org.mitre.oval:def:1749 | Windows NT Long Share Names Vulnerability |
oval:org.mitre.oval:def:1601 | Windows ME Long Share Names Vulnerability |
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。 |
- 官方数据库链接
- 其它链接及资源
- 漏洞信息
Microsoft Windows超长共享名缓冲区溢出漏洞 | |
危急 | 边界条件错误 |
2004-11-03 00:00:00 | 2005-10-20 00:00:00 |
远程 | |
Microsoft Windows是微软开发的视窗操作系统。 Microsoft Windows的资源管理员和IE浏览器在处理超长共享名时缺少正确边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。 Windows在当访问远程文件服务器如samba时不正确处理超长共享名,允许恶意服务器构建畸形超长的共享名,诱使用户使用资源管理员和IE浏览器查看时,可触发缓冲区溢出,精心构建共享名数据,可能以进程权限执行任意指令。 |
- 公告与补丁
厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ |
- 漏洞信息 (24051)
Microsoft Windows XP/2000/NT 4 Shell Long Share Name Buffer Overrun Vulnerability (EDBID:24051) | |
windows | dos |
2004-04-25 | Verified |
0 | Rodrigo Gutierrez |
N/A | [点击下载] |
source: http://www.securityfocus.com/bid/10213/info Microsoft Windows operating systems have been reported to be prone to a remotely exploitable buffer overrun condition. This issue is exposed when a client attempts to connect to an SMB share with an overly long name. This may cause explorer.exe or Internet Explorer to crash but could also potentially be leveraged to execute arbitrary code as the client user. [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] comment = Area 51 path = /tmp/testfolder public = yes writable = yes printable = no browseable = yes write list = @trymywingchung
- 漏洞信息 (F34706)
ms04-037.html (PacketStormID:F34706) |
2004-10-24 00:00:00 |
remote,shell,vulnerability,code execution |
windows |
CVE-2004-0214,CVE-2004-0572 |
[点击下载] |
Microsoft Security Bulletin MS04-037 - Vulnerability in Windows Shell Could Allow Remote Code Execution (841356). If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit these vulnerabilities. |
- 漏洞信息
10698 | |
Microsoft Windows Shell Application Start Arbitrary Code Execution | |
Local Access Required | Input Manipulation |
Loss of Integrity | |
Exploit Unknown |
- 漏洞描述
A local overflow exists in Windows. The Windows Shell functions fail to validate user-supplied input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity. |
- 时间线
2004-10-12 | Unknow |
Unknow | Unknow |
- 解决方案
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. |
- 相关参考
漏洞作者
- 漏洞信息
Microsoft Windows Shell Long Share Name Buffer Overrun Vulnerability | |
Boundary Condition Error | 10213 |
Yes | No |
2004-04-25 12:00:00 | 2009-07-12 04:06:00 |
Discovery is credited to "Rodrigo Gutierrez" <rodrigo@intellicomp.cl>. |
- 受影响的程序版本
Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows NT Workstation 4.0 SP6a Microsoft Windows NT Workstation 4.0 SP6 Microsoft Windows NT Workstation 4.0 SP5 Microsoft Windows NT Workstation 4.0 SP4 Microsoft Windows NT Workstation 4.0 SP3 Microsoft Windows NT Workstation 4.0 SP2 Microsoft Windows NT Workstation 4.0 SP1 Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows ME Microsoft Windows 98SE Microsoft Windows 98 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Avaya S8100 Media Servers R9 Avaya S8100 Media Servers R8 Avaya S8100 Media Servers R7 Avaya S8100 Media Servers R6 Avaya S8100 Media Servers R12 Avaya S8100 Media Servers R11 Avaya S8100 Media Servers R10 Avaya S8100 Media Servers 0 Avaya S3400 Message Application Server 0 Avaya Modular Messaging (MSS) 2.0 Avaya Modular Messaging (MSS) 1.1 Avaya IP600 Media Servers R9 Avaya IP600 Media Servers R8 Avaya IP600 Media Servers R7 Avaya IP600 Media Servers R6 Avaya IP600 Media Servers R12 Avaya IP600 Media Servers R11 Avaya IP600 Media Servers R10 Avaya IP600 Media Servers Avaya DefinityOne Media Servers R9 Avaya DefinityOne Media Servers R8 Avaya DefinityOne Media Servers R7 Avaya DefinityOne Media Servers R6 Avaya DefinityOne Media Servers R12 Avaya DefinityOne Media Servers R11 Avaya DefinityOne Media Servers R10 Avaya DefinityOne Media Servers |
- 漏洞讨论
Microsoft Windows operating systems have been reported to be prone to a remotely exploitable buffer overrun condition. This issue is exposed when a client attempts to connect to an SMB share with an overly long name. This may cause explorer.exe or Internet Explorer to crash but could also potentially be leveraged to execute arbitrary code as the client user. |
- 漏洞利用
A proof-of-concept was provided that will cause a denial of service. The following proof-of-concept demonstrates how to create a share in Samba that will trigger the condition by editing smb.conf: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] comment = Area 51 path = /tmp/testfolder public = yes writable = yes printable = no browseable = yes write list = @trymywingchung --- Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>. |
- 解决方案
Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system. Avaya has released an advisory that acknowledges this vulnerability for Avaya products. The issue is considered low risk as it requires local interactive access in order to be exploited. Customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details: http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=203487&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows 2000 Server SP4
|
- 相关参考
|