CVE-2004-1049
CVSS5.1
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:50:56
NMCOS    

[原文]Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."


[CNNVD]Microsoft Windows ANI文件解析远程缓冲区溢出漏洞(MS05-002/KB891711)(CNNVD-200412-653)

        
        Windows是Microsoft公司开发的视窗操作系统。
        Windows处理动画光标文件时存在问题,远程攻击者可以利用这个漏洞构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。
        问题存在于USER32.dll处理.ani文件时,ANI部分文件格式如下:
        "RIFF" {(DWORD)Length_of_file}
        "ACON"
        "LIST" {(DWORD)Length_of_list}
        "INFO"
        "INAM" {(DWORD)Length_of_title} {szTitle}
        "IART" {(DWORD)Length_of_author} {szAuthor}
        "anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}
        一般来说,AnimationHeaderBlock长度是36字节(0x00000024),此漏洞就是在处理Length_of_AnimationHeader字段上,为了拷贝AnimationHeaderBlock的内容,这个值会作为长度参数传递给memcpy(),但是这个值没有正确的进行检查,超长的参数可导致覆盖返回地址,并以进程权限执行任意指令。
        由于动画光标文件可提供给Internet Explorer使用,所以攻击者可以构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc
cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2000::sp1Microsoft windows 2000_sp1
cpe:/o:microsoft:windows_2000::sp2Microsoft windows 2000_sp2
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2000::sp3Microsoft windows 2000_sp3
cpe:/o:microsoft:windows_ntMicrosoft Windows NT
cpe:/o:microsoft:windows_xp::goldMicrosoft windows xp_gold

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4671LoadImage Cursor and Icon Format Handling Vulnerability (Windows 2000)
oval:org.mitre.oval:def:3355LoadImage Cursor and Icon Format Handling Vulnerability (NT 4.0)
oval:org.mitre.oval:def:3220LoadImage Cursor and Icon Format Handling Vulnerability (Server 2003)
oval:org.mitre.oval:def:3097LoadImage Cursor and Icon Format Handling Vulnerability (Terminal Server)
oval:org.mitre.oval:def:2956LoadImage Cursor and Icon Format Handling Vulnerability (XP)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1049
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1049
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-653
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110382891718076&w=2
(UNKNOWN)  BUGTRAQ  20041223 Microsoft Windows LoadImage API Integer Buffer overflow
http://securitytracker.com/id?1012684
(UNKNOWN)  SECTRACK  1012684
http://www.ciac.org/ciac/bulletins/p-094.shtml
(UNKNOWN)  CIAC  P-094
http://www.kb.cert.org/vuls/id/625856
(VENDOR_ADVISORY)  CERT-VN  VU#625856
http://www.microsoft.com/technet/Security/bulletin/ms05-002.mspx
(VENDOR_ADVISORY)  MS  MS05-002
http://www.securityfocus.com/bid/12095
(UNKNOWN)  BID  12095
http://www.us-cert.gov/cas/techalerts/TA05-012A.html
(VENDOR_ADVISORY)  CERT  TA05-012A
http://www.xfocus.net/flashsky/icoExp/index.html
(UNKNOWN)  MISC  http://www.xfocus.net/flashsky/icoExp/index.html
http://xforce.iss.net/xforce/xfdb/18668
(UNKNOWN)  XF  win-loadimage-bo(18668)

- 漏洞信息

Microsoft Windows ANI文件解析远程缓冲区溢出漏洞(MS05-002/KB891711)
中危 边界条件错误
2004-12-31 00:00:00 2006-04-19 00:00:00
远程  
        
        Windows是Microsoft公司开发的视窗操作系统。
        Windows处理动画光标文件时存在问题,远程攻击者可以利用这个漏洞构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。
        问题存在于USER32.dll处理.ani文件时,ANI部分文件格式如下:
        "RIFF" {(DWORD)Length_of_file}
        "ACON"
        "LIST" {(DWORD)Length_of_list}
        "INFO"
        "INAM" {(DWORD)Length_of_title} {szTitle}
        "IART" {(DWORD)Length_of_author} {szAuthor}
        "anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}
        一般来说,AnimationHeaderBlock长度是36字节(0x00000024),此漏洞就是在处理Length_of_AnimationHeader字段上,为了拷贝AnimationHeaderBlock的内容,这个值会作为长度参数传递给memcpy(),但是这个值没有正确的进行检查,超长的参数可导致覆盖返回地址,并以进程权限执行任意指令。
        由于动画光标文件可提供给Internet Explorer使用,所以攻击者可以构建恶意ANI文件,诱使用户处理,可能以进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS05-002)以及相应补丁:
        MS05-002:Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)
        链接:
        http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx

        补丁下载:
        Microsoft Windows NT Server 4.0 Service Pack 6a
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=4604400A-287E-48CC-91B1-BEE44EEA588C

        
        Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=94A0B521-4C39-4D15-AA80-068C30476E6F

        
        Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=722C6C65-3F6C-4029-8EB7-D4612A785E78

        
        Microsoft Windows XP Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=8850954D-57D9-4D23-9AA1-1CCF6085A057

        
        Microsoft Windows XP 64-Bit Edition Service Pack 1
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=2325700F-7931-4B0C-A978-BCFF469B8061

        
        Microsoft Windows XP 64-Bit Edition Version 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=16A52196-0BD0-4355-9F29-2B26CB0961AF

        
        Microsoft Windows Server 2003
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=CBCCADF6-449A-4D74-937D-4087A6E6C1C2

        
        Microsoft Windows Server 2003 64-Bit Edition
        
        http://www.microsoft.com/downloads/details.aspx?FamilyId=16A52196-0BD0-4355-9F29-2B26CB0961AF

- 漏洞信息

12623
Microsoft Windows LoadImage API Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Microsoft Windows. The LoadImage API of the USER32 Lib fails to perform proper bounds checking resulting in an integer overflow. By creating a mailicous Web page which contains specially crafted *.bmp, *.cur, *.ico or *.ani files, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-12-20 Unknow
2004-12-20 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability
Boundary Condition Error 12233
Yes No
2005-01-11 12:00:00 2009-07-12 09:27:00
This vulnerability was discovered by Yuji Ukai of eEye Digital Security.

- 受影响的程序版本

Nortel Networks Symposium Web Client
Nortel Networks Symposium Web Center Portal (SWCP)
Nortel Networks Symposium TAPI Service Provider
Nortel Networks Symposium Network Control Center (NCC)
Nortel Networks Symposium Express Call Center (SECC)
Nortel Networks Symposium Call Center Server (SCCS)
Nortel Networks Symposium Agent
Nortel Networks Periphonics
Nortel Networks Media Processing Server
Nortel Networks MCS 5200 3.0
Nortel Networks MCS 5100 3.0
Nortel Networks IP softphone 2050
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Embedded SP1
Microsoft Windows XP Embedded
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Professional SP2
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Home SP2

- 不受影响的程序版本

Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Professional SP2
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Home SP2

- 漏洞讨论

A stack-based buffer overflow vulnerability is reported to affect the ANI (animated cursor files) handler on Microsoft Windows operating systems.

The vulnerability exists in the ANI file header handling routines contained in the 'user32.dll' library.

Ultimately the issue may be leveraged to force the execution of attacker-supplied instructions. It has been reported that this vulnerability affects any application that employs the vulnerable Internet Explorer component, for example:
Microsoft Internet Explorer, Word, Excel, PowerPoint, Outlook, Outlook Express and the Windows Shell.
Other applications are also affected.

- 漏洞利用

A public proof-of-concept that is designed to trigger this vulnerability was created by Assaf Reshef <assaf404 at yahoo dot com> and is available at the following location:

http://underwar.livedns.co.il/projects/ani/

An additional proof of concept (anieeye.zip) has been made available by Berend-Jan Wever.

An additional proof of concept (HOD-ms05002-ani-expl.c) has been made available by houseofdabus HOD <houseofdabus@inbox.ru>.

An exploit has been made available by WhiskyCoders.

- 解决方案

Microsoft has released updates to address this vulnerability on Windows 98, Windows 98 Second Edition, and Windows Millennium Edition. These updates are available from the Windows Update Web site. Updates for localized versions of Microsoft Windows 98 and Microsoft Windows 98 Second Edition, which are not supported by Windows Update are available for download separately.

Microsoft has released updates to address this vulnerability on supported platforms.

The Microsoft patch for this vulnerability may cause problems on Windows 98, 98SE, and ME operating systems. Reports suggest that after applying the patch on these operating systems there may be issues with Internet Explorer. See the References section for further information.

Microsoft has released updated fixes for Windows 98, 98SE and ME to address the above issue.


Microsoft Windows 98SE

Microsoft Windows NT Server 4.0 SP6a

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows XP 64-bit Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows 98

Microsoft Windows Server 2003 Web Edition

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Embedded SP1

Microsoft Windows XP Home SP1

Microsoft Windows XP 64-bit Edition Version 2003 SP1

Microsoft Windows 2000 Server SP3

Microsoft Windows NT Enterprise Server 4.0 SP6a

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站