CVE-2006-2492
CVSS7.6
发布时间 :2006-05-19 20:02:00
修订时间 :2011-03-07 21:36:18
NMCOS    

[原文]Buffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.


[CNNVD]Microsoft Word畸形对象指针 缓冲区溢出漏洞(CNNVD-200605-369)

        Microsoft Word是非常流行的文字处理软件。
        在使用畸形对象指针打开Word文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱骗用户打开恶意DOC文件在用户机器上执行任意指令。
        如果用户受骗打开了特制的Microsoft Word文档的话,就会导致通过名为Trojan.Mdropper.H的木马安装名为Backdoor.Ginwui的后门。该木马通过HTTP回连到localhosts.3322.org,每隔大约1分钟使用0字节的HTTP POST来ping这个服务器(实际上没有POST数据)。这个木马有类似于rootkit的功能,隐藏与攻击有关的二进制文件(资源管理器中不会显示名为winguis.dll的文件),并在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows中包含木马二进制程序,实现自动调用。此木马目前被非常活跃地利用。
        在受到攻击时,Word会崩溃,通知用户出现了问题,并请求重新打开文件。如果用户同意的话,就会打开恶意文件。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2068Microsoft Word2000 Malformed Object Pointer Vulnerability
oval:org.mitre.oval:def:1738Microsoft Word2002 Malformed Object Pointer Vulnerability
oval:org.mitre.oval:def:1418Microsoft Word2003 Malformed Object Pointer Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2492
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-369
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-164A.html
(UNKNOWN)  CERT  TA06-164A
http://www.us-cert.gov/cas/techalerts/TA06-139A.html
(UNKNOWN)  CERT  TA06-139A
http://www.kb.cert.org/vuls/id/446012
(UNKNOWN)  CERT-VN  VU#446012
http://www.securityfocus.com/bid/18037
(PATCH)  BID  18037
http://www.microsoft.com/technet/security/bulletin/ms06-027.mspx
(PATCH)  MS  MS06-027
http://secunia.com/advisories/20153
(VENDOR_ADVISORY)  SECUNIA  20153
http://xforce.iss.net/xforce/xfdb/26556
(UNKNOWN)  XF  word-code-execution(26556)
http://www.vupen.com/english/advisories/2006/1872
(UNKNOWN)  VUPEN  ADV-2006-1872
http://www.osvdb.org/25635
(UNKNOWN)  OSVDB  25635
http://www.microsoft.com/technet/security/advisory/919637.mspx
(UNKNOWN)  CONFIRM  http://www.microsoft.com/technet/security/advisory/919637.mspx
http://securitytracker.com/id?1016130
(UNKNOWN)  SECTRACK  1016130
http://isc.sans.org/diary.php?storyid=1346
(UNKNOWN)  MISC  http://isc.sans.org/diary.php?storyid=1346
http://isc.sans.org/diary.php?storyid=1345
(UNKNOWN)  MISC  http://isc.sans.org/diary.php?storyid=1345
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
(UNKNOWN)  MISC  http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx

- 漏洞信息

Microsoft Word畸形对象指针 缓冲区溢出漏洞
高危 缓冲区溢出
2006-05-19 00:00:00 2007-06-26 00:00:00
远程  
        Microsoft Word是非常流行的文字处理软件。
        在使用畸形对象指针打开Word文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱骗用户打开恶意DOC文件在用户机器上执行任意指令。
        如果用户受骗打开了特制的Microsoft Word文档的话,就会导致通过名为Trojan.Mdropper.H的木马安装名为Backdoor.Ginwui的后门。该木马通过HTTP回连到localhosts.3322.org,每隔大约1分钟使用0字节的HTTP POST来ping这个服务器(实际上没有POST数据)。这个木马有类似于rootkit的功能,隐藏与攻击有关的二进制文件(资源管理器中不会显示名为winguis.dll的文件),并在HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows中包含木马二进制程序,实现自动调用。此木马目前被非常活跃地利用。
        在受到攻击时,Word会崩溃,通知用户出现了问题,并请求重新打开文件。如果用户同意的话,就会打开恶意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx

- 漏洞信息

25635
Microsoft Word Unspecified Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Commercial Vendor Verified, Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

Microsoft Word contains a flaw that may allow a malicious user to execute arbitrary code under the security context of the current user. The issue is triggered due to an unspecified error when processing object pointers. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-19 Unknow
Unknow 2006-07-12

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft PowerPoint Malformed Record Remote Code Execution Vulnerability
Boundary Condition Error 18382
Yes No
2006-06-13 12:00:00 2009-09-21 03:50:00
Discovery is credited to Nicolas Ruff, Fabrice Desclaux, and Kostya Kortchinsky of European Aeronautic Defence and Space Company, Symantec, and Dejun Meng.

- 受影响的程序版本

Microsoft PowerPoint v. X for Mac 0
Microsoft PowerPoint 2004 for Mac 0
Microsoft PowerPoint 2003 SP3
+ Microsoft Office 2003 SP3
Microsoft PowerPoint 2003 SP2
+ Microsoft Office 2003 SP2
Microsoft PowerPoint 2003 SP1
+ Microsoft Office 2003 SP1
Microsoft PowerPoint 2003 0
+ Microsoft Office 2003 0
Microsoft PowerPoint 2002 SP3
Microsoft PowerPoint 2002 SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft PowerPoint 2002 SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
Microsoft PowerPoint 2002
+ Microsoft Office XP
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
Microsoft PowerPoint 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft PowerPoint 2000 SR1
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft PowerPoint 2000 SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
Microsoft PowerPoint 2000
+ Microsoft Office 2000
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3

- 漏洞讨论

Microsoft PowerPoint is prone to a remote code-execution vulnerability. The issue is related to how the application processes malformed record data in PowerPoint documents.

To exploit this issue, an attacker must entice a victim to open a malicious PowerPoint file. If the exploit is successful, the attacker may execute arbitrary code with the privileges of the currently logged-in user.

- 漏洞利用

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Microsoft has released a security bulletin and fixes to address this issue.


Microsoft PowerPoint 2002 SP3

Microsoft PowerPoint 2003 SP1

Microsoft PowerPoint 2000 SP3

Microsoft PowerPoint 2004 for Mac 0

Microsoft PowerPoint 2003 SP2

Microsoft PowerPoint v. X for Mac 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站