CVE-2006-3357
CVSS7.5
发布时间 :2006-07-06 16:05:00
修订时间 :2011-03-07 21:38:25
NMCOPS    

[原文]Heap-based buffer overflow in HTML Help ActiveX control (hhctrl.ocx) in Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code by repeatedly setting the Image field of an Internet.HHCtrl.1 object to certain values, possibly related to improper escaping and long strings.


[CNNVD]Microsoft Internet Explorer HHCtrl ActiveX控件堆溢出漏洞(CNNVD-200607-033)

        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer的HTML帮助ActiveX控件(hhctrl.ocx)在处理Image属性时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        攻击者可以通过在恶意网页中多次将属性设置为超长字符串导致堆溢出,如果用户受骗访问了恶意的网页就会导致执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:13Buffer Overrun in HTML Help Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3357
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3357
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-033
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-220A.html
(UNKNOWN)  CERT  TA06-220A
http://www.kb.cert.org/vuls/id/159220
(UNKNOWN)  CERT-VN  VU#159220
http://www.vupen.com/english/advisories/2006/2635
(UNKNOWN)  VUPEN  ADV-2006-2635
http://www.vupen.com/english/advisories/2006/2634
(UNKNOWN)  VUPEN  ADV-2006-2634
http://www.securityfocus.com/bid/18769
(UNKNOWN)  BID  18769
http://www.osvdb.org/26835
(UNKNOWN)  OSVDB  26835
http://secunia.com/advisories/20906
(VENDOR_ADVISORY)  SECUNIA  20906
http://browserfun.blogspot.com/2006/07/mobb-2-internethhctrl-image-property.html
(UNKNOWN)  MISC  http://browserfun.blogspot.com/2006/07/mobb-2-internethhctrl-image-property.html
http://xforce.iss.net/xforce/xfdb/27573
(UNKNOWN)  XF  ie-hhctrl-bo(27573)
http://www.tippingpoint.com/security/advisories/TSRT-06-08.html
(UNKNOWN)  MISC  http://www.tippingpoint.com/security/advisories/TSRT-06-08.html
http://www.securityfocus.com/archive/1/archive/1/442733/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060808 TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS06-046.mspx
(UNKNOWN)  MS  MS06-046
http://securitytracker.com/id?1016434
(UNKNOWN)  SECTRACK  1016434

- 漏洞信息

Microsoft Internet Explorer HHCtrl ActiveX控件堆溢出漏洞
高危 缓冲区溢出
2006-07-06 00:00:00 2006-07-07 00:00:00
远程  
        Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。
        Internet Explorer的HTML帮助ActiveX控件(hhctrl.ocx)在处理Image属性时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        攻击者可以通过在恶意网页中多次将属性设置为超长字符串导致堆溢出,如果用户受骗访问了恶意的网页就会导致执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms06-046.mspx

- 漏洞信息 (F49119)

TSRT-06-08.txt (PacketStormID:F49119)
2006-08-18 00:00:00
Cody Pierce  tippingpoint.com
advisory,arbitrary,code execution,activex
CVE-2006-3357
[点击下载]

An arbitrary code execution vulnerability exists in Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific vulnerability can lead to code execution when instantiating the Internet.HHCtrl COM object through Internet Explorer. The flaw exists due to invalid freeing of heap memory when several calls to the "Image" property of the ActiveX control are performed. By abusing the jscript.dll CScriptBody::Release() function user supplied data can be executed.

TSRT-06-08: Microsoft Internet Help COM Object Memory Corruption
            Vulnerability

http://www.tippingpoint.com/security/advisories/TSRT-06-08.html
August 8, 2006

-- CVE ID:
CVE-2006-3357

-- Affected Vendor:
Microsoft

-- Affected Products:
Microsoft Windows Server 2003 SP1 and SP2
Microsoft Windows XP SP1 and SP2
Microsoft Windows 2000 Service Pack 4

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since August 8, 2006 by Digital Vaccine protection
filter ID 4581. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the
target must visit a malicious page.

The specific vulnerability can lead to code execution when
instantiating the Internet.HHCtrl COM object through Internet Explorer.
The flaw exists due to invalid freeing of heap memory when several calls
to the "Image" property of the ActiveX control are performed. By abusing
the jscript.dll CScriptBody::Release() function user supplied data can
be executed.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/bulletin/MS06-046.mspx

-- Disclosure Timeline:
2006.04.27 - Vulnerability reported to vendor
2006.08.08 - Digital Vaccine released to TippingPoint customers
2006.08.08 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.
    

- 漏洞信息

26835
Microsoft IE HTML Help COM Object Image Property Heap Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2006-07-02 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows HTML Help HHCtrl ActiveX Control Memory Corruption Vulnerability
Boundary Condition Error 18769
Yes No
2006-07-02 12:00:00 2007-06-26 05:28:00
hdm is credited with the discovery of this vulnerability. Cody Pierce is also credited with providing information about this issue.

- 受影响的程序版本

Nortel Networks Centrex IP Element Manager 0
Nortel Networks Centrex IP Client Manager
Nortel Networks CallPilot 703t
Nortel Networks CallPilot 702t
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 200i
Nortel Networks CallPilot 1002rp
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

- 漏洞讨论

Microsoft Windows HTML Help is prone to a memory-corruption vulnerability. This is related to the handling of the HHCtrl ActiveX control.

Attackers may exploit this issue via a malicious web page to execute arbitrary code in the context of the currently logged-in user. Exploitation attempts may lead to a denial-of-service condition as well. Attackers may also employ HTML email to carry out an attack.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

A proof of concept is available to crash Internet Explorer.

- 解决方案

Microsoft has released an advisory including fixes to address this issue.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP1

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows XP Professional SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站