发布时间 :2006-01-10 16:03:00
修订时间 :2017-10-10 21:30:33

[原文]An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."

[CNNVD]Microsoft IE WMF图形解析内存破坏漏洞(CNNVD-200601-101)

        Microsoft Internet Explorer是一款非常流行的WEB浏览器。
        Microsoft Internet Explorer在处理畸形的WMF文件时存在漏洞,攻击者可能利用此漏洞导致用户机器拒绝服务或执行任意指令。Internet Explorer 5.01 SP4中所使用的Microsoft WMF解析应用程序存在内存破坏漏洞。攻击者可以创建带有畸形WMF头部大小的特制WMF文件,如果用户被诱使浏览了该文件的话就会触发整数溢出,导致拒绝服务或执行任意指令。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_98::goldMicrosoft windows 98_gold
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se
cpe:/o:microsoft:windows_meMicrosoft Windows ME
cpe:/o:microsoft:windows_xp::sp1:tablet_pcMicrosoft windows xp_sp1 tablet_pc
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1638Remote Code Execution Vulnerability in IE5.01

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  MLIST  [funsec] 20060110 Another WMF flaw without a Microsoft patch
(PATCH)  MS  MS06-004
(PATCH)  BID  16516
(UNKNOWN)  VUPEN  ADV-2006-0469

- 漏洞信息

Microsoft IE WMF图形解析内存破坏漏洞
高危 缓冲区溢出
2006-01-10 00:00:00 2006-05-05 00:00:00
        Microsoft Internet Explorer是一款非常流行的WEB浏览器。
        Microsoft Internet Explorer在处理畸形的WMF文件时存在漏洞,攻击者可能利用此漏洞导致用户机器拒绝服务或执行任意指令。Internet Explorer 5.01 SP4中所使用的Microsoft WMF解析应用程序存在内存破坏漏洞。攻击者可以创建带有畸形WMF头部大小的特制WMF文件,如果用户被诱使浏览了该文件的话就会触发整数溢出,导致拒绝服务或执行任意指令。

- 公告与补丁


- 漏洞信息

Microsoft IE Crafted WMF Header Size Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in Microsoft Internet Explorer. The Microsoft Internet Explorer fails to check integer bounds resulting in a integer overflow. With a specially crafted request, an attacker can cause corrupted heap memory resulting in a loss of integrity.

- 时间线

2006-01-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 5.5 or higher, as it has been reported to fix this vulnerability. In addition, Microsoft has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Explorer WMF Image Parsing Memory Corruption Vulnerability
Boundary Condition Error 16516
Yes No
2006-01-09 12:00:00 2006-04-07 03:38:00
Discovered by H D Moore.

- 受影响的程序版本

Nortel Networks Self-Service Peri NT Server 0
Nortel Networks Self-Service Peri IVR 0
Nortel Networks Self-Service Media Processing Server 0
Nortel Networks Optivity Telephony Manager TM-CS1000 0
Nortel Networks MCS 5200 3.0
Nortel Networks MCS 5100 3.0
Nortel Networks IP softphone 2050
Nortel Networks IP Address Domain Manager
Nortel Networks Contact Center
Microsoft Internet Explorer 5.0.1 SP4
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server SP4
Avaya Unified Communications Center S3400
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers
Microsoft Internet Explorer 6.0 SP1

- 不受影响的程序版本

Microsoft Internet Explorer 6.0 SP1

- 漏洞讨论

Microsoft Internet Explorer is affected by an WMF image-parsing memory-corruption vulnerability. This issue is allegedly due to an integer-overflow flaw that leads to corrupted heap memory.

This problem presents itself when a user views a malicious WMF-formatted file containing specially crafted data.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploitation attempts likely result in crashing the application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

Microsoft has released advisory MS06-004 to address this issue. Please see the referenced advisory for further information.

Avaya has released an advisory to identify vulnerable products, and recommends that users apply patches released by Microsoft.

Microsoft Internet Explorer 5.0.1 SP4

- 相关参考