CVE-2004-0572
CVSS10.0
发布时间 :2004-11-03 00:00:00
修订时间 :2008-09-10 15:26:51
NMCOPS    

[原文]Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.


[CNNVD]Microsoft Windows程序组转换器文件名本地缓冲区溢出漏洞(CNNVD-200411-015)

        
        Microsoft Windows Program Group Converter是程序组转换器。
        Microsoft grpconv.exe不正确处理文件名数据,本地或远程攻击者可以利用这个漏洞对程序进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        由于对文件名长度缺少充分边界缓冲区检查,构建恶意文件名,并诱使用户处理时,可导致grpconv.exe发生溢出。攻击者可以结合多个IE漏洞来利用此问题,可导致以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4493Windows 2003 (64-Bit) Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:4244Windows 2003 (32-Bit) Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:3822Windows XP (64-Bit) Program Group Converter Buffer Overflow in shell32.dll
oval:org.mitre.oval:def:3768Windows ME Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:3071Windows NT Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:2753Windows 2000 Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:1843Windows XP (32-Bit) Program Group Converter Buffer Overflow
oval:org.mitre.oval:def:1837Windows XP (64-Bit) Program Group Converter Buffer Overflow in grpconv.exe
oval:org.mitre.oval:def:1279Windows 98 Program Group Converter Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0572
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0572
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-015
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/543864
(VENDOR_ADVISORY)  CERT-VN  VU#543864
http://xforce.iss.net/xforce/xfdb/16664
(VENDOR_ADVISORY)  XF  win-grpconv-bo(16664)
http://www.securityfocus.com/bid/10677
(VENDOR_ADVISORY)  BID  10677
http://www.microsoft.com/technet/security/bulletin/ms04-037.asp
(VENDOR_ADVISORY)  MS  MS04-037
http://xforce.iss.net/xforce/xfdb/17662
(UNKNOWN)  XF  win-ms04037-patch(17662)
http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0290.html
(VENDOR_ADVISORY)  FULLDISC  20040707 Re: shell:windows command question

- 漏洞信息

Microsoft Windows程序组转换器文件名本地缓冲区溢出漏洞
危急 边界条件错误
2004-11-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft Windows Program Group Converter是程序组转换器。
        Microsoft grpconv.exe不正确处理文件名数据,本地或远程攻击者可以利用这个漏洞对程序进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        由于对文件名长度缺少充分边界缓冲区检查,构建恶意文件名,并诱使用户处理时,可导致grpconv.exe发生溢出。攻击者可以结合多个IE漏洞来利用此问题,可导致以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/technet/security/

- 漏洞信息 (F34706)

ms04-037.html (PacketStormID:F34706)
2004-10-24 00:00:00
 
remote,shell,vulnerability,code execution
windows
CVE-2004-0214,CVE-2004-0572
[点击下载]

Microsoft Security Bulletin MS04-037 - Vulnerability in Windows Shell Could Allow Remote Code Execution (841356). If a user is logged on with administrative privileges, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. However, user interaction is required to exploit these vulnerabilities.

- 漏洞信息

10699
Microsoft Windows Program Group Converter Arbitrary Code Execution
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A local overflow exists in Windows. The Program Group Converter (grpconv.exe) fails to validate user-supplied input resulting in a buffer overflow when provided with a very long parameter. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-10-12 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Program Group Converter Filename Local Buffer Overrun Vulnerability
Boundary Condition Error 10677
Yes No
2004-07-07 12:00:00 2009-07-12 06:16:00
Discovery of this vulnerability is credited to Andreas Sandblad.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition SP1 Beta 1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 4.0 SP6a
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT 4.0 SP2
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft grpconv
+ Microsoft Windows 2000 Advanced Server SP4
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP4
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP4
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP4
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 98SE
+ Microsoft Windows ME
+ Microsoft Windows NT Enterprise Server 4.0 SP6a
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP5
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP3
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0 SP6a
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP5
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP3
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP5
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP3
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Sever 2003 Resource Kit
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home
+ Microsoft Windows XP Media Center Edition
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows Program Group Converter (grpconv.exe) is reported prone to a buffer overrun vulnerability. The issue is reported to exist due to a lack of sufficient validation performed on filename data.

An attacker may craft a malicious file and present it to a victim in order to exploit this vulnerability. Additionally, it is demonstrated that this vulnerability may also be exploited using a series of seperate vulnerabilities in Internet Explorer in order to exploit this vulnerability when a malicious website is viewed.

It is reported that exploitation may be hindered because parameter data is stored in Unicode format.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Microsoft has released Security Bulletin MS04-037 dealing with this issue.

Avaya has released an advisory that acknowledges this vulnerability for Avaya products. The issue is considered low risk as it requires local interactive access in order to be exploited. Customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details:

http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=203487&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()


Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站