CVE-2005-1212
CVSS7.5
发布时间 :2005-06-14 00:00:00
修订时间 :2011-03-07 21:21:14
NMCOS    

[原文]Buffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field.


[CNNVD]Microsoft Step-By-Step Interactive Training书签链接溢出漏洞(CNNVD-200506-119)

        Microsoft Windows是微软发布的非常流行的操作系统,Step-by-Step Interactive Training是其中的一个组件。
        Microsoft Step-By-Step Interactive Training中存在缓冲区溢出漏洞,起因是书签链接文件中验证数据时的边界条件错误。具体的说,在处理畸形.cbo文件时会出现这个漏洞。典型的.cbo文件内容如下:
        [Microsoft Interactive Training]
        User=DEFAULT
        SerialID=00000000
        如果恶意用户能够创建User字段包含有超常字符串的文件的话,就会将用户提供的值拷贝到固定大小的栈缓冲区。这可能允许攻击者覆盖栈内存,如保存的返回地址或SEH指针,从而控制执行流。
        成功利用这个漏洞的攻击者可以完全控制受影响的系统。但是,必须用户交互才能完成攻击。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000_terminal_services::sp3
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:sp1_beta_1
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:r2:sp1
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_me:::second_edition
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_2003_server:r2:sp1_beta_1
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2003_server:standard:sp1_beta_1
cpe:/o:microsoft:windows_2000::sp3Microsoft windows 2000_sp3
cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_xp::goldMicrosoft windows xp_gold
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000::sp2Microsoft windows 2000_sp2
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_xp:::embedded
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1
cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_2003_server:enterprise:sp1_beta_1
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:sp1
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc
cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2003_server:web:sp1_beta_1
cpe:/o:microsoft:windows_xp::sp1:64-bit
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp1Microsoft windows 2000_sp1
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_xp::sp1:embeddedMicrosoft windows xp_sp1 embedded
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_2003_server:enterprise:sp1
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1224Step-by-Step Interactive Training Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1212
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1212
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-119
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/Security/bulletin/ms05-031.mspx
(VENDOR_ADVISORY)  MS  MS05-031
http://secunia.com/advisories/15669/
(VENDOR_ADVISORY)  SECUNIA  15669
http://idefense.com/application/poi/display?id=262&type=vulnerabilities&flashstatus=true
(VENDOR_ADVISORY)  IDEFENSE  20050614 Microsoft Windows Interactive Training Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/13944
(UNKNOWN)  BID  13944
http://securitytracker.com/id?1014194
(UNKNOWN)  SECTRACK  1014194

- 漏洞信息

Microsoft Step-By-Step Interactive Training书签链接溢出漏洞
高危 缓冲区溢出
2005-06-14 00:00:00 2006-04-24 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统,Step-by-Step Interactive Training是其中的一个组件。
        Microsoft Step-By-Step Interactive Training中存在缓冲区溢出漏洞,起因是书签链接文件中验证数据时的边界条件错误。具体的说,在处理畸形.cbo文件时会出现这个漏洞。典型的.cbo文件内容如下:
        [Microsoft Interactive Training]
        User=DEFAULT
        SerialID=00000000
        如果恶意用户能够创建User字段包含有超常字符串的文件的话,就会将用户提供的值拷贝到固定大小的栈缓冲区。这可能允许攻击者覆盖栈内存,如保存的返回地址或SEH指针,从而控制执行流。
        成功利用这个漏洞的攻击者可以完全控制受影响的系统。但是,必须用户交互才能完成攻击。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx

- 漏洞信息

17304
Microsoft Windows Interactive Training .cbo File User Field Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2005-06-14 2005-02-23
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Step-By-Step Interactive Training Bookmark Link Buffer Overflow Vulnerability
Boundary Condition Error 13944
Yes No
2005-06-14 12:00:00 2009-07-12 02:56:00
Discovery is credited to iDEFENSE Labs.

- 受影响的程序版本

Microsoft Step-By-Step Interactive 0

- 漏洞讨论

Microsoft Step-By-Step Interactive Training is prone to a buffer overflow vulnerability. This is due to a boundary condition error related to validation of data in bookmark link files. As bookmark link files may originate from an external source, this issue may be remotely exploitable.

Successful exploitation will result in execution of arbitrary code in the context of the currently logged in user.

A number of third-party providers may supply the Step-by-Step Interactive training program as a part of their products. There is not a conclusive list of products that may have installed this software.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Microsoft has released fixes to address this vulnerability.


Microsoft Step-By-Step Interactive 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站