CVE-2004-1306
CVSS5.1
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:53:02
NMCO    

[原文]Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a crafted .hlp file.


[CNNVD]Microsoft Windows winhlp32.exe 堆溢出漏洞(CNNVD-200412-244)

        
        Microsoft Windows是一款商业视窗操作系统。
        Microsoft Windows winhlp32.exe在解析.hlp文件的时候存在着一个堆溢出,远程攻击者可以利用这个漏洞可能以用户进程权限在系统上执行任意指令。
         当hlp文件是以分段来进行压缩的,他包含一个以phrase命名的内部文件,这个phrase文件由一个phrase表头和多个phrase表组成,phrase的表头处于.hlp文件的偏移0x19处,结构定义如下:
         unsigned short wNumberOfPhrases;
         unsigned short wOneHundred; 0x0100;
         long decompressedsize;
        
         phrases表头后面立即跟着phrases表,每个phrases表项占4个字节,2个字段phrasesHeadOffset和phrasesEndOffset,分别都是即unsigned short类型。代表phrases的头尾的偏移。
        
         处理phrases表的函数具有3个参数(在中文2000 sp4上该函数的地址是0x0100A1EF),其中第3个参数为指向phrases表头的指针,第2个参数指向一个堆内存,用于保存phrases数据.但是在计算数据长度时并没有判断数据长度是否合法,这就导致可以构造一个.HLP,可以覆盖由第2个参数所指向的堆内存。以下是对该函数的分析:
        0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp
        .text:0100A1EF
        .text:0100A1EF arg_0 = dword ptr 4
        .text:0100A1EF arg_4 = dword ptr 8
        .text:0100A1EF arg_8 = dword ptr 0Ch
        .text:0100A1EF
        .text:0100A1EF mov eax, [esp+arg_8] ;arg_8 指向phrase表头
        .text:0100A1F3 push ebx
        .text:0100A1F4 push esi
        .text:0100A1F5 push edi
        .text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred
        .text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase 表
        .text:0100A1FD mov eax, [esp+0Ch+arg_0] ;以下计算 phrase表的偏移
        .text:0100A201 sub eax, edx
        .text:0100A203 mov ebx, [esp+0Ch+arg_4]
        .text:0100A207 mov edi, eax
        .text:0100A209 shr eax, 1
        .text:0100A20B and edi, 1
        .text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1
        .text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2
        .text:0100A217 sub esi, edx
        .text:0100A219 add ecx, edx
        .text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1
        .text:0100A21C push ecx ; void *
        .text:0100A21D push ebx ; void * ;ebx -> 第二个参数,即堆内存
        .text:0100A21E call ds:memmove
         在这里,存在着2个导致溢出的问题:
         1.整数溢出,如果phrasesEndOffset比phrasesHeadOffset小,phrasesEndOffset-phrasesHeadOffset为一个负数,这里并没有做检查,实际调用memmove的时候,触发了溢出。
         2.另外,在堆分配的时候,并非是根据phrasesEndOffset-phrasesHeadOffset计算时候进行分配的,而是根据hlp文件里的另外字段进行解码计算和分配的,由于解码和计算过程过于复杂,这里不在详细描述,只要修改一个正常的hlp文件的某个phrases表项,增大phrasesEndOffset字段也将触发这一漏洞。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_2003_server:web:sp1_beta_1
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:sp1_beta_1
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2003_server:enterprise:sp1_beta_1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_2003_server:standard:sp1_beta_1
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2003_server:r2:sp1_beta_1
cpe:/o:microsoft:windows_xp:::home

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1306
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1306
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-244
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110383690219440&w=2
(UNKNOWN)  BUGTRAQ  20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerability
http://www.securityfocus.com/bid/12092
(UNKNOWN)  BID  12092
http://www.xfocus.net/flashsky/icoExp/
(UNKNOWN)  MISC  http://www.xfocus.net/flashsky/icoExp/
http://xforce.iss.net/xforce/xfdb/18678
(UNKNOWN)  XF  win-winhlp32-bo(18678)

- 漏洞信息

Microsoft Windows winhlp32.exe 堆溢出漏洞
中危 边界条件错误
2004-12-31 00:00:00 2006-04-24 00:00:00
远程  
        
        Microsoft Windows是一款商业视窗操作系统。
        Microsoft Windows winhlp32.exe在解析.hlp文件的时候存在着一个堆溢出,远程攻击者可以利用这个漏洞可能以用户进程权限在系统上执行任意指令。
         当hlp文件是以分段来进行压缩的,他包含一个以phrase命名的内部文件,这个phrase文件由一个phrase表头和多个phrase表组成,phrase的表头处于.hlp文件的偏移0x19处,结构定义如下:
         unsigned short wNumberOfPhrases;
         unsigned short wOneHundred; 0x0100;
         long decompressedsize;
        
         phrases表头后面立即跟着phrases表,每个phrases表项占4个字节,2个字段phrasesHeadOffset和phrasesEndOffset,分别都是即unsigned short类型。代表phrases的头尾的偏移。
        
         处理phrases表的函数具有3个参数(在中文2000 sp4上该函数的地址是0x0100A1EF),其中第3个参数为指向phrases表头的指针,第2个参数指向一个堆内存,用于保存phrases数据.但是在计算数据长度时并没有判断数据长度是否合法,这就导致可以构造一个.HLP,可以覆盖由第2个参数所指向的堆内存。以下是对该函数的分析:
        0100A1EF sub_100A1EF proc near ; CODE XREF: sub_100A14C+6Fp
        .text:0100A1EF
        .text:0100A1EF arg_0 = dword ptr 4
        .text:0100A1EF arg_4 = dword ptr 8
        .text:0100A1EF arg_8 = dword ptr 0Ch
        .text:0100A1EF
        .text:0100A1EF mov eax, [esp+arg_8] ;arg_8 指向phrase表头
        .text:0100A1F3 push ebx
        .text:0100A1F4 push esi
        .text:0100A1F5 push edi
        .text:0100A1F6 movzx edx, word ptr [eax+2] ;[eax+2] -> wOneHundred
        .text:0100A1FA mov ecx, [eax+0Ch] ;[eax+0Ch] -> phrase 表
        .text:0100A1FD mov eax, [esp+0Ch+arg_0] ;以下计算 phrase表的偏移
        .text:0100A201 sub eax, edx
        .text:0100A203 mov ebx, [esp+0Ch+arg_4]
        .text:0100A207 mov edi, eax
        .text:0100A209 shr eax, 1
        .text:0100A20B and edi, 1
        .text:0100A20E movzx edx, word ptr [ecx+eax*2] ;phrase_offset1
        .text:0100A212 movzx esi, word ptr [ecx+eax*2+2] ;phrase_offset2
        .text:0100A217 sub esi, edx
        .text:0100A219 add ecx, edx
        .text:0100A21B push esi ; size_t ;size = phrase_offset2 - phrase_offset1
        .text:0100A21C push ecx ; void *
        .text:0100A21D push ebx ; void * ;ebx -> 第二个参数,即堆内存
        .text:0100A21E call ds:memmove
         在这里,存在着2个导致溢出的问题:
         1.整数溢出,如果phrasesEndOffset比phrasesHeadOffset小,phrasesEndOffset-phrasesHeadOffset为一个负数,这里并没有做检查,实际调用memmove的时候,触发了溢出。
         2.另外,在堆分配的时候,并非是根据phrasesEndOffset-phrasesHeadOffset计算时候进行分配的,而是根据hlp文件里的另外字段进行解码计算和分配的,由于解码和计算过程过于复杂,这里不在详细描述,只要修改一个正常的hlp文件的某个phrases表项,增大phrasesEndOffset字段也将触发这一漏洞。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/technet/security/

- 漏洞信息

12625
Microsoft Windows winhlp32.exe Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Microsoft Windows. The 'winhlp32.exe' application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted '.hlp' file, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-12-20 Unknow
2004-12-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站