CVE-2006-0010
CVSS9.3
发布时间 :2006-01-10 17:03:00
修订时间 :2016-11-18 21:59:46
NMCOPS    

[原文]Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.


[CNNVD]Microsoft Windows嵌入Web字体堆溢出漏洞(CNNVD-200601-091)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Windows解压嵌入开放类型(EOT)字体的方式存在漏洞,攻击者可能利用此漏洞在机器上执行任意指令。Internet Explorer在处理EOT字体时会调用T2EMBED.DLL。EOT文件中的数据是以Agfa MicroType Express格式压缩的,其LZ压缩的流包含有24位分配空间。这个空间大小 + 1C00h被分配到了MTX_LZCOMP_UnPackMemory函数中,但在将数据拷贝到块中之前却没有验证所生成分配空间的大小,这就允许畸形的EOT文件用二进制数据导致任意长度的堆溢出。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_nt:3.5.1:sp3Microsoft Windows NT 3.5.1 SP3
cpe:/o:microsoft:windows_nt:3.5.1:sp4Microsoft Windows NT 3.5.1 SP4
cpe:/o:microsoft:windows_nt:3.5.1:sp1Microsoft Windows NT 3.5.1 SP1
cpe:/o:microsoft:windows_nt:3.5.1:sp2Microsoft Windows NT 3.5.1 SP2
cpe:/o:microsoft:windows_nt:3.5.1:sp5Microsoft Windows NT 3.5.1 SP5
cpe:/o:microsoft:windows_nt:4.0::terminal_server_alpha
cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2003_server:enterprise:sp1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit
cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_nt:4.0:sp6a:workstationMicrosoft Windows 4.0 sp6a workstation
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_nt:4.0:sp5:workstationMicrosoft Windows 4.0 sp5 workstation
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_nt:4.0:sp6:workstationMicrosoft Windows 4.0 sp6 workstation
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_nt:3.5.1:sp5:alphaMicrosoft Windows NT 3.5.1 SP5 alpha
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_nt:4.0Microsoft Windows NT 4.0
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2003_server:enterprise_64-bit:sp1
cpe:/o:microsoft:windows_nt:4.0:sp5Microsoft Windows 4.0 sp5
cpe:/o:microsoft:windows_nt:4.0:sp6Microsoft Windows 4.0 sp6
cpe:/o:microsoft:windows_nt:4.0:sp3Microsoft Windows 4.0 sp3
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_nt:4.0:sp1Microsoft Windows 4.0 sp1
cpe:/o:microsoft:windows_nt:4.0:sp4Microsoft Windows 4.0 sp4
cpe:/o:microsoft:windows_nt:4.0:sp2Microsoft Windows 4.0 sp2
cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp6aMicrosoft Windows 4.0 sp6a
cpe:/o:microsoft:windows_2003_server:r2::datacenter_64-bit
cpe:/o:microsoft:windows_nt:4.0::workstation
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_nt:4.0::alpha
cpe:/o:microsoft:windows_nt:4.0:sp3:workstationMicrosoft Windows 4.0 sp3 workstation
cpe:/o:microsoft:windows_nt:4.0:sp4:workstationMicrosoft Windows 4.0 sp4 workstation
cpe:/o:microsoft:windows_2003_server:r2:sp1
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp1:workstationMicrosoft Windows 4.0 sp1 workstation
cpe:/o:microsoft:windows_nt:4.0:sp2:workstationMicrosoft Windows 4.0 sp2 workstation
cpe:/o:microsoft:windows_2003_server:standard_64-bit
cpe:/o:microsoft:windows_nt:4.0:sp6a:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6a
cpe:/o:microsoft:windows_nt:4.0:sp6a:alpha
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_xp:::64-bit
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_nt:3.5.1Microsoft Windows NT 3.5.1
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_nt:4.0:sp5:alpha
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_nt:4.0:sp6:alpha
cpe:/o:microsoft:windows_nt:4.0:sp2:alpha
cpe:/o:microsoft:windows_2003_server:datacenter_64-bit:sp1
cpe:/o:microsoft:windows_nt:4.0:sp3:alpha
cpe:/o:microsoft:windows_nt:4.0:sp4:alpha
cpe:/o:microsoft:windows_nt:4.0:sp1:alpha

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:714Win2k Embedded Web Font Vulnerability
oval:org.mitre.oval:def:698WinXP,SP2 Embedded Web Font Vulnerability
oval:org.mitre.oval:def:1491WinXP,SP1 Embedded Web Font Vulnerability
oval:org.mitre.oval:def:1462WinXP (64-bit) Embedded Web Font Vulnerability
oval:org.mitre.oval:def:1185Server 2003,SP1 Embedded Web Font Vulnerability
oval:org.mitre.oval:def:1126Server 2003 Embedded Web Font Vulnerability
oval:gov.nist.fdcc.patch:def:28MS06-002: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
oval:gov.nist.USGCB.patch:def:28MS06-002: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0010
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0010
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-091
(官方数据源) CNNVD

- 其它链接及资源

http://seclists.org/fulldisclosure/2006/Jan/363
(UNKNOWN)  FULLDISC  20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability
http://securitytracker.com/id?1015459
(UNKNOWN)  SECTRACK  1015459
http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-004.htm
http://www.eeye.com/html/Research/Advisories/EEYEB20050801.html
(UNKNOWN)  EEYE  EEYEB20050801
http://www.kb.cert.org/vuls/id/915930
(VENDOR_ADVISORY)  CERT-VN  VU#915930
http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx
(VENDOR_ADVISORY)  MS  MS06-002
http://www.securityfocus.com/archive/1/archive/1/421885/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow Vulnerability
http://www.securityfocus.com/bid/16194
(PATCH)  BID  16194
http://www.us-cert.gov/cas/techalerts/TA06-010A.html
(UNKNOWN)  CERT  TA06-010A
http://www.vupen.com/english/advisories/2006/0118
(UNKNOWN)  VUPEN  ADV-2006-0118
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525
(UNKNOWN)  MISC  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375525
http://xforce.iss.net/xforce/xfdb/23922
(UNKNOWN)  XF  win-embedded-fonts-bo(23922)

- 漏洞信息

Microsoft Windows嵌入Web字体堆溢出漏洞
高危 缓冲区溢出
2006-01-10 00:00:00 2006-04-19 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Windows解压嵌入开放类型(EOT)字体的方式存在漏洞,攻击者可能利用此漏洞在机器上执行任意指令。Internet Explorer在处理EOT字体时会调用T2EMBED.DLL。EOT文件中的数据是以Agfa MicroType Express格式压缩的,其LZ压缩的流包含有24位分配空间。这个空间大小 + 1C00h被分配到了MTX_LZCOMP_UnPackMemory函数中,但在将数据拷贝到块中之前却没有验证所生成分配空间的大小,这就允许畸形的EOT文件用二进制数据导致任意长度的堆溢出。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx

- 漏洞信息 (F42977)

Technical Cyber Security Alert 2006-10A (PacketStormID:F42977)
2006-01-11 00:00:00
US-CERT  us-cert.gov
advisory,remote,denial of service,arbitrary,vulnerability
windows
CVE-2006-0002,CVE-2006-0010
[点击下载]

Technical Cyber Security Alert TA06-010A - Microsoft has released updates that address critical vulnerabilities in Windows, Outlook, and Exchange. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


   
                        National Cyber Alert System

                 Technical Cyber Security Alert TA06-010A


Microsoft Windows, Outlook, and Exchange Vulnerabilities

   Original release date: January 10, 2006
   Last revised: January 10, 2006
   Source: US-CERT


Systems Affected

     * Microsoft Windows
     * Microsoft Outlook
     * Microsoft Exchange

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for January 2006.


Overview

   Microsoft has released updates that address critical vulnerabilities
   in Windows, Outlook, and Exchange. Exploitation of these
   vulnerabilities could allow a remote, unauthenticated attacker to
   execute arbitrary code or cause a denial of service on a vulnerable
   system.


I. Description

   Microsoft Security Bulletins for January 2006 address vulnerabilities
   in Microsoft Windows, Outlook, and Exchange. Further information is
   available in the following US-CERT Vulnerability Notes:

   VU#915930 - Microsoft embedded web font buffer overflow 

   A heap-based buffer overflow in the way Microsoft Windows processes
   embedded web fonts may allow a remote, unauthenticated attacker to
   execute arbitrary code on a vulnerable system.
   (CVE-2006-0010)

   VU#252146 - Microsoft Outlook and Microsoft Exchange TNEF decoding
   vulnerability 

   Microsoft Outlook and Microsoft Exchange contain an unspecified
   vulnerability in processing TNEF attachments. This may allow a remote,
   unauthenticated attacker to execute arbitrary code on a system running
   the vulnerable software.
   (CVE-2006-0002)


II. Impact

   Exploitation of these vulnerabilities may allow a remote,
   unauthenticated attacker to execute arbitrary code with the privileges
   of the user. If the user is logged on with administrative privileges,
   the attacker could take complete control of an affected system. An
   attacker may also be able to cause a denial of service.


III. Solution

Apply Updates

   Microsoft has provided the updates for these vulnerabilities in the
   Security Bulletins and on the Microsoft Update site.

Workarounds

   Please see the US-CERT Vulnerability Notes in Appendix A for workarounds.


Appendix A. References

     * Microsoft Security Bulletin Summary for January 2006 -
       <http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx>

     * US-CERT Vulnerability Note VU#915930 -
       <http://www.kb.cert.org/vuls/id/915930>

     * US-CERT Vulnerability Note VU#252146 -
       <http://www.kb.cert.org/vuls/id/252146>

     * CVE-2006-0002 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0002>

     * CAN-2006-0010 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0010>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-010A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA06-010A Feedback VU#915930" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________



Revision History

   January 10, 2006: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ8Q6Bn0pj593lg50AQIL7Qf8CadB1mP4WdchYj+Ge/kKkSYCps/Q5y0S
6sgEiToVljKCUfdBEBbBomuXR5tFlHaIItefeFhzPIAJcVLkudXP3EcwvM8tvDN6
LpnGUquKucZUHFYUbuDdYcYvLRkXf5zTb3dS/zh03UfW2Gn/5s6zyBab30BGl7r/
LRSoF2bVPRY0E2RhYYK1RzY68/ZyPmES0s11RAx5F0QiejQNv/i32jTuoh2SyxIw
4L70DZm/vuAqDsSFCjYb2YUsScKIMJwmU4Hv39J/+dB0TARV7nhscSIHAXXBaccU
XBrGgSJCc+4YZq/8PnpWuDmEBMLcOuAcv8LXjBbcodAWRBwAPBXcBg==
=9cnz
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F42975)

EEYEB-20050801.txt (PacketStormID:F42975)
2006-01-11 00:00:00
Fang Xing  eeye.com
advisory,web,arbitrary
windows
CVE-2006-0010
[点击下载]

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in the way Windows uncompresses Embedded Open Type fonts that would allow the author of a malicious web page to execute arbitrary code on the system of a user who visits the site, at the privilege level of that user.

EEYEB-20050801 Windows Embedded Open Type (EOT) Font Heap Overflow
Vulnerability

Release Date:
January 10, 2006

Date Reported:
July 31, 2005

Time to Patch:
163 Days

Severity:
High (Code Execution)

Systems Affected:
Windows ME
Windows 98
Windows NT
Windows 2000
Windows XP SP1 / SP2
Windows Server 2003 SP0 / SP1

Overview:
eEye Digital Security has discovered a vulnerability in the way Windows
uncompresses Embedded Open Type fonts that would allow the author of a
malicious web page to execute arbitrary code on the system of a user who
visits the site, at the privilege level of that user.

Embedded Open Type fonts are referenced through the use of style data,
as the following snippet illustrates:

    @font-face {
        font-family: Abysmal;
        font-style:  normal;
        font-weight: normal;
        src: url(evil.eot);

Although these fonts typically have .eot file extensions, it should be
noted that any extension may be used in order to exploit this
vulnerability.

Technical Details:
A heap overflow vulnerability exists in T2EMBED.DLL, which Internet
Explorer invokes to process EOT fonts.  The data within an EOT file is
compressed in Agfa MicroType Express format, which hosts an
LZ-compressed stream that includes a 24-bit allocation size.  This size
+ 1C00h is allocated within the function MTX_LZCOMP_UnPackMemory, but
the resulting allocation size is not validated before data is copied
into the block, allowing a malformed EOT file to cause an essentially
arbitrary-length heap buffer overflow with binary data.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink End-Point Protection proactively protects against this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability.  The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS06-002.mspx

References:
EEYE ID# EEYEB-20050801
OSVDB ID# 18829
CVE # CVE-2006-0010

Credit:
Fang Xing

Greetings:
eEye Research and especially Derek for all his help

Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically.  It is not
to be edited in any way without express consent of eEye.  If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer:
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

18829
Microsoft Windows Open Type (EOT) Font Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Microsoft Windows. Many versions fail to perform correct boundary checks in web requests involving embedded fonts, resulting in a heap overflow. With a specially crafted web font, an attacker can cause arbitrary code execution, resulting in a loss of integrity.

- 时间线

2006-01-11 2005-07-31
Unknow 2006-01-10

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft Corporation has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Embedded Web Font Buffer Overflow Vulnerability
Boundary Condition Error 16194
Yes No
2006-01-10 12:00:00 2006-02-07 08:54:00
Fang Xing is credited with the discovery of this issue.

- 受影响的程序版本

Nortel Networks Self-Service 0
Nortel Networks Optivity Telephony Manager for SL-100
Nortel Networks Optivity Telephony Manager (OTM)
Nortel Networks MCS PC Client
Nortel Networks IP softphone 2050
Nortel Networks Contact Center
Nortel Networks Centrex IP Client Manager 8.0
Nortel Networks Centrex IP Client Manager 7.0
Nortel Networks Centrex IP Client Manager 2.5
Nortel Networks Centrex IP Client Manager
Nortel Networks CallPilot 2.0
Nortel Networks CallPilot 1.0.7
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 200i
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT 3.5.1 SP5 alpha
Microsoft Windows NT 3.5.1 SP5
Microsoft Windows NT 3.5.1 SP4
Microsoft Windows NT 3.5.1 SP3
Microsoft Windows NT 3.5.1 SP2
Microsoft Windows NT 3.5.1 SP1
Microsoft Windows NT 3.5.1
Microsoft Windows NT 4.0 SP6a alpha
Microsoft Windows NT 4.0 SP6a
Microsoft Windows NT 4.0 SP6 alpha
Microsoft Windows NT 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Enterprise Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
+ Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT 4.0 SP5 alpha
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP4 alpha
Microsoft Windows NT 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Enterprise Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
+ Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3 alpha
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP2 alpha
Microsoft Windows NT 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Enterprise Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
+ Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT 4.0 SP1 alpha
Microsoft Windows NT 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Enterprise Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
+ Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT 4.0 alpha
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Microsoft Windows NT 3.5
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows is susceptible to a remotely exploitable buffer-overflow vulnerability. This issue is due to the software's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of the vulnerable software on the targeted user's computer.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案


Avaya security advisory ASA-2006-004 addresses this issue. Avaya recommends following Microsoft's instructions for installing the Operating System patch.

Nortel has released an advisory (2006006582) to identify vulnerable products. The vendor advises customers to follow Microsoft's recommendations and install fixes supplied by Microsoft.

Fixes are available:


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Media Center Edition SP2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站