Microsoft IE6 RDS.DataControl处理URL参数拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110587 漏洞类型 边界条件错误
发布时间 2006-07-08 更新时间 2008-11-19
CVE编号 CVE-2006-3510 CNNVD-ID CNNVD-200607-156
漏洞平台 Windows CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/28194
https://www.securityfocus.com/bid/18900
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-156
|漏洞详情
MicrosoftInternetExplorer是微软发布的非常流行的WEB浏览器。InternetExplorer的RDS.DataControl对象在处理JavaScript中的URL参数时存在漏洞,远程攻击者可能利用此漏洞导致IE崩溃。InternetExplorer的RDS.DataControl对象使用OLE32.dll中的SysAllocStringLen例程拷贝JavaScript的URL参数。在Windows2000上,这可能导致无效的长度计算,读取页面以外的内存。在访问破坏之前可能会出现某种形式的堆破坏,但由于堆中没有SEH指针,因此很难利用。
|漏洞EXP
source: http://www.securityfocus.com/bid/18900/info

Microsoft Internet Explorer 6 is reportedly prone to a denial-of-service vulnerability because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers.

This issue is triggered when an attacker convinces a victim to activate a malicious ActiveX control object.

Remote attackers may exploit this issue to crash Internet Explorer 6, effectively denying service to legitimate users.

A stack-based heap overflow may be possible; as a result, remote code could run in the context of the user running the affected application. This has not been confirmed.

var a = new ActiveXObject('RDS.DataControl');
var b = "X";
while (b.length < (1024*256)) a.URL = (b+=b);
|受影响的产品
Microsoft Internet Explorer 6.0 SP2 - do not use Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 - Microsoft Windows 2000 Advanced Server SP2
|参考资料

来源:XF
名称:ie-rdsdatacontrol-url-dos(27621)
链接:http://xforce.iss.net/xforce/xfdb/27621
来源:BID
名称:18900
链接:http://www.securityfocus.com/bid/18900
来源:OSVDB
名称:26955
链接:http://www.osvdb.org/26955
来源:VUPEN
名称:ADV-2006-2718
链接:http://www.frsirt.com/english/advisories/2006/2718
来源:MISC
链接:http://browserfun.blogspot.com/2006/07/mobb-8-rdsdatacontrol-url.html