CVE-2006-3445
CVSS7.5
发布时间 :2006-11-14 16:07:00
修订时间 :2011-10-03 00:00:00
NMCOS    

[原文]Integer overflow in the ReadWideString function in agentdpv.dll in Microsoft Agent on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 up to SP1 allows remote attackers to execute arbitrary code via a large length value in an .ACF file, which results in a heap-based buffer overflow.


[CNNVD]Microsoft Agent Active控件远程堆溢出漏洞(CNNVD-200611-207)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft的Agent Active控件在解析畸形的字符文件时存在整数溢出。在agentdpv.dll的ReadWideString函数中:
        711a2cc4 mov eax,[ebp+0xc]
        711a2cc7 cmp eax,ebx
        711a2cc9 jz agentdpv!ReadWideStringW+0x6b (711a2d0e)
        711a2ccb lea eax,[eax+eax+0x2]
        711a2ccf push eax
        711a2cd0 call agentdpv!operator new (711aaa6c)
        在内存中解压时.acf格式会将字符串的长度附加到字符串上。如果要触发这个漏洞,攻击者需要在解压之前在字符串的长度字段中设置很大的值7FFFFFFF以创建畸形的.acf文件。当Microsoft Agent解析该.acf文件时,就会在解压文件后读取这个长度:
        711a2cc4 mov eax,[ebp+0xc] ; length of string
        在使用所提供的长度计算为宽字符串所分配的内存大小时可能会出现整数溢出,导致分配0字节:
        711a2ccb lea eax,[eax+eax+0x2]
        711a2ccf push eax
        711a2cd0 call agentdpv!operator new (711aaa6c)
        之后仍会从之前所分配的内存读取字符串并拷贝到缓冲区,导致堆溢出。
        711a2ce8 push ebx
        711a2ce9 add edx,edx
        711a2ceb push edx
        711a2cec push eax
        711a2ced push edi
        711a2cee call dword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}
        攻击者可能通过构建特制网页来利用此漏洞,如果用户查看了该网页,则可能允许远程执行代码。
        
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-189 [数值错误]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:r2
cpe:/o:microsoft:windows_2003_server:itanium
cpe:/o:microsoft:windows_2000::sp4::fr
cpe:/o:microsoft:windows_2003_server:sp1::itanium
cpe:/o:microsoft:windows_2003_server:sp1
cpe:/o:microsoft:windows_2003_server:64-bit
cpe:/o:microsoft:windows_xp:::64-bit

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:154Microsoft Agent Memory Corruption Vulnerability
oval:gov.nist.fdcc.patch:def:901MS06-068: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
oval:gov.nist.USGCB.patch:def:901MS06-068: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3445
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3445
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200611-207
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-318A.html
(UNKNOWN)  CERT  TA06-318A
http://www.kb.cert.org/vuls/id/810772
(UNKNOWN)  CERT-VN  VU#810772
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx
(VENDOR_ADVISORY)  MS  MS06-068
http://xforce.iss.net/xforce/xfdb/29945
(UNKNOWN)  XF  ms-agent-acf-bo(29945)
http://www.vupen.com/english/advisories/2006/4506
(VENDOR_ADVISORY)  VUPEN  ADV-2006-4506
http://www.securityfocus.com/bid/21034
(UNKNOWN)  BID  21034
http://www.securityfocus.com/archive/1/archive/1/458558/100/0/threaded
(UNKNOWN)  BUGTRAQ  20070130 COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched)
http://www.coseinc.com/alert.html
(UNKNOWN)  MISC  http://www.coseinc.com/alert.html
http://securitytracker.com/id?1017222
(UNKNOWN)  SECTRACK  1017222
http://secunia.com/advisories/22878
(VENDOR_ADVISORY)  SECUNIA  22878

- 漏洞信息

Microsoft Agent Active控件远程堆溢出漏洞
高危 数字错误
2006-11-14 00:00:00 2007-08-08 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft的Agent Active控件在解析畸形的字符文件时存在整数溢出。在agentdpv.dll的ReadWideString函数中:
        711a2cc4 mov eax,[ebp+0xc]
        711a2cc7 cmp eax,ebx
        711a2cc9 jz agentdpv!ReadWideStringW+0x6b (711a2d0e)
        711a2ccb lea eax,[eax+eax+0x2]
        711a2ccf push eax
        711a2cd0 call agentdpv!operator new (711aaa6c)
        在内存中解压时.acf格式会将字符串的长度附加到字符串上。如果要触发这个漏洞,攻击者需要在解压之前在字符串的长度字段中设置很大的值7FFFFFFF以创建畸形的.acf文件。当Microsoft Agent解析该.acf文件时,就会在解压文件后读取这个长度:
        711a2cc4 mov eax,[ebp+0xc] ; length of string
        在使用所提供的长度计算为宽字符串所分配的内存大小时可能会出现整数溢出,导致分配0字节:
        711a2ccb lea eax,[eax+eax+0x2]
        711a2ccf push eax
        711a2cd0 call agentdpv!operator new (711aaa6c)
        之后仍会从之前所分配的内存读取字符串并拷贝到缓冲区,导致堆溢出。
        711a2ce8 push ebx
        711a2ce9 add edx,edx
        711a2ceb push edx
        711a2cec push eax
        711a2ced push edi
        711a2cee call dword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}
        攻击者可能通过构建特制网页来利用此漏洞,如果用户查看了该网页,则可能允许远程执行代码。
        
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx

- 漏洞信息

30262
Microsoft Windows Agent ACF File Handling Memory Corruption
Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

2006-11-14 Unknow
Unknow 2006-11-14

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Agent ActiveX Control Remote Code Execution Vulnerability
Boundary Condition Error 21034
Yes No
2006-11-14 12:00:00 2007-01-30 05:29:00
This issue was disclosed in the referenced vendor advisory.

- 受影响的程序版本

Nortel Networks Web-Centric Voice Application Development Suite 0
Nortel Networks Web Centric Self-Svc VoiceXML
Nortel Networks Web Centric Self-Svc CCXML
Nortel Networks Self-Service Speech Server 0
Nortel Networks Self-Service Peri Application 0
Nortel Networks Self-Service MPS 500 0
Nortel Networks Self-Service MPS 1000 0
Nortel Networks Self-Service MPS 100 0
Nortel Networks Multimedia Comm MCS5100
Nortel Networks Enterprise VoIP TM-CS1000
Nortel Networks Enterprise Network Management System
Nortel Networks Contact Center Manager Server 0
Nortel Networks Centrex IP Element Manager 9.0
Nortel Networks Centrex IP Element Manager 8.0
Nortel Networks Centrex IP Element Manager 7.0
Nortel Networks CallPilot 703t
Nortel Networks CallPilot 702t
Nortel Networks CallPilot 201i
Nortel Networks CallPilot 200i
Nortel Networks CallPilot 1002rp
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 0
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
HP Storage Management Appliance 2.1
+ HP Storage Management Appliance III
+ HP Storage Management Appliance II
+ HP Storage Management Appliance I
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a

- 漏洞讨论

The Microsoft Agent ActiveX control is prone to remote code execution.

An attacker could exploit this issue to execute code in the context of the user visiting a malicious web page.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

Microsoft has released security advisory MS06-068 to address this issue in supported versions of affected applications. Please see the referenced advisory for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站