Microsoft Internet Explorer脚本操作处理器溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109916 漏洞类型 缓冲区溢出
发布时间 2006-03-16 更新时间 2006-04-17
CVE编号 CVE-2006-1245 CNNVD-ID CNNVD-200603-280
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/27433
https://www.securityfocus.com/bid/17131
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-280
|漏洞详情
MicrosoftInternetExplorer是微软发布的非常流行的WEB浏览器。MicrosoftInternetExplorer的脚本处理器在处理超量的脚本操作时存在问题,远程攻击者可能利用此漏洞导致客户机上的IE崩溃,或执行任意代码。如果攻击者为某个HTML标签指定了几千个脚本操作处理器(如onLoad,onMouseMove等)的话,则由于编程错误,IE会试图在界外写入内存数组,位置大致是在脚本行为处理器ID乘以4的偏移。溢出后的结果取决于恶意标签所嵌入网页的架构以及之前所访问的页面和初始化的扩展。如果恶意页面没有包含其他元素,用户也不是从其他位置定向到页面的,浏览器会立即崩溃,因为在上述偏移没有分配内存。在其他情况下,崩溃可能会有一些延迟。
|漏洞EXP
source: http://www.securityfocus.com/bid/17131/info

Microsoft Internet Explorer is susceptible to a remote buffer-overflow vulnerability in 'MSHTML.DLL'. The application fails to properly bounds-check user-supplied input data before copying it into an insufficiently sized memory buffer.

Remote attackers may exploit this issue to crash affected web browsers. Remote code execution may also be possible, but this has not been confirmed.

Internet Explorer 6 is vulnerable to this issue; other versions may also be affected.

The following proof of concept is available:

<script>
for(s='<a onclick=',i=0;i<8||(document.write(s+'>'));i++)s+=s;
</script>
|受影响的产品
Microsoft Internet Explorer 5.0.1 SP4 - Microsoft Windows 2000 Advanced Server SP4 - Microsoft Windows 2000 Datacenter Server SP4 -
|参考资料

来源:US-CERT
名称:TA06-101A
链接:http://www.us-cert.gov/cas/techalerts/TA06-101A.html
来源:US-CERT
名称:VU#984473
链接:http://www.kb.cert.org/vuls/id/984473
来源:BID
名称:17131
链接:http://www.securityfocus.com/bid/17131
来源:MS
名称:MS06-013
链接:http://www.microsoft.com/technet/security/bulletin/ms06-013.mspx
来源:VUPEN
名称:ADV-2006-1318
链接:http://www.frsirt.com/english/advisories/2006/1318
来源:SECTRACK
名称:1015794
链接:http://securitytracker.com/id?1015794
来源:SECUNIA
名称:19269
链接:http://secunia.com/advisories/19269
来源:SECUNIA
名称:18957
链接:http://secunia.com/advisories/18957
来源:XF
名称:ie-mshtml-bo(25292)
链接:http://xforce.iss.net/xforce/xfdb/25292
来源:BUGTRAQ
名称:20060325Re:[optimizedPoC]RemoteoverflowinMSIEscriptactionhandlers(mshtml.dll)
链接:http://www.securityfocus.com/archive/1/archive/1/428810/100/0/threaded
来源:OSVDB
名称:23964
链接:http://www.osvdb.org/23964
来源:BUGTRAQ
名称:20060316RemoteoverflowinMSIEscriptactionhandlers(mshtml.dll)
链接:http://archives.neohapsis.com/archives/bugtraq/2006-02/0855.html
来源:BUGTRAQ
名称:20061