Microsoft IE向量标记语言VGX.DLL压缩文件处理远程堆溢出漏洞(MS07-050)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113464 漏洞类型 缓冲区溢出
发布时间 2007-08-14 更新时间 2008-08-28
CVE编号 CVE-2007-1749 CNNVD-ID CNNVD-200708-211
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30494
https://www.securityfocus.com/bid/25310
https://cxsecurity.com/issue/WLB-2007080087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-211
|漏洞详情
"InternetExplorer是微软发布的非常流行的WEB浏览器。IE的VML在处理畸形格式的GZIP压缩文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。VGX.DLL是IE中负责渲染VML的组件,该组件中的CDownloadSink类实现处理从VML中内嵌URL所下载的数据。例如,以下VML会下载由VGX.DLL!CDownloadSink::OnDataAvailable处理的额外内容:http://malice/compressed.emz">VGX.DLL!CDownloadSink::OnDataAvailable函数在计算读取长度限制时存在整数溢出漏洞,最终会导致URLMON.DLL!CMimeFt::SmartRead函数在后续的处理中溢出堆缓冲区。传送到CDownloadSink::OnDataAvailable的第二个参数([EBP+10h])是接收到的压缩文件数据的长度,但函数在计算将要传送给URLMON.DLL!CReadOnlyStreamDirect::Read的读取限制时会从压缩文件数据长度减去缓冲区中非压缩数据的长度。如果未压缩的数据大于压缩文件数据总长的话,就会出现整数下溢,导致将很大的值(大约4GB)用作读取限制。如果后续读取的数据长度超过了缓冲区中未使用空间的升序,就会导致堆溢出。利用这个漏洞要求至少调用两次CDownloadSink::OnDataAvailable,一次用一些非0字节长度的未压缩数据加载缓冲区,另一次导致溢出,因此必须分别独立的接收压缩数据。但这种接收数据的方式可能是合法的,因此即使合法的站点也可能触发非恶意的堆溢出。"
|漏洞EXP
source: http://www.securityfocus.com/bid/25310/info

Microsoft Internet Explorer is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

This issue occurs when rendering VML (Vector Markup Language) graphics.

Attackers can leverage this issue to execute arbitrary code in the context of the currently logged-in user.

Successful attacks may facilitate the remote compromise of affected computers. Failed attacks will likely cause denial-of-service conditions. 

To exploit this issue, an attacker must entice an unsuspecting user to view a malicious HTML document.

A VML document containing the following construct pointing to a malicious compressed image file will trigger this issue:

<v:rect>
<v:imagedata src="http://www.example.com/compressed.emz">
</v:rect>
|受影响的产品
Microsoft Internet Explorer 5.0.1 SP4 - Microsoft Windows 2000 Advanced Server SP4 - Microsoft Windows 2000 Datacenter Server SP4 -
|参考资料

来源:US-CERT
名称:VU#468800
链接:http://www.kb.cert.org/vuls/id/468800
来源:US-CERT
名称:TA07-226A
链接:http://www.us-cert.gov/cas/techalerts/TA07-226A.html
来源:BID
名称:25310
链接:http://www.securityfocus.com/bid/25310
来源:MS
名称:MS07-050
链接:http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
来源:SECUNIA
名称:26409
链接:http://secunia.com/advisories/26409
来源:SECTRACK
名称:1018568
链接:http://www.securitytracker.com/id?1018568
来源:BUGTRAQ
名称:20070814EEYE:VGX.DLLCompressedContentHeapOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/476498/100/0/threaded
来源:MISC
链接:http://research.eeye.com/html/advisories/published/AD20070814a.html
来源:VUPEN
名称:ADV-2007-2874
链接:http://www.frsirt.com/english/advisories/2007/2874
来源:SREASON
名称:3020
链接:http://securityreason.com/securityalert/3020
来源:USGovernmentResource:oval:org.mitre.oval:def:1784
名称:oval:org.mitre.oval:def:1784
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:1784