Microsoft Jet MDB文件解析远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113952 漏洞类型 缓冲区溢出
发布时间 2007-11-16 更新时间 2009-04-01
CVE编号 CVE-2007-6026 CNNVD-ID CNNVD-200711-276
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/4625
https://cxsecurity.com/issue/WLB-2007110050
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-276
|漏洞详情
MicrosoftJet数据库是MSOffice应用程序中广泛使用的轻型数据库。Jet数据库在处理畸形MDB文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户处理恶意文件,控制服务器。OfficeAccess在解析MDB文件时会调用Jet数据库引擎(msjet40.dll),如果解析了恶意的MDB文件就会在以下代码中触发栈溢出:C:\Windows\System32\msjet40.dll,版本为4.0.8618.0.text:1B0B72BBmovecx,edx;ecx=0x5200.text:1B0B72BDmovesi,edi;esipointtothedatas.text:1B0B72BFmovebp,ecx;whichcanbefindinthemdbfile.text:1B0B72C1leaedi,[esp+40h];edipointtostackmemory.text:1B0B72C5shrecx,2.text:1B0B72C8repmovsd;stackoverflow!!.text:1B0B72CAmovecx,ebp.text:1B0B72CCmoveax,[eax+1].text:1B0B72CFandecx,3.text:1B0B72D2repmovsb以下为调试信息:eax=05f5cb67ebx=05e66458ecx=00005200edx=00005200esi=05f5cd12edi=0013db60eip=1b0b72c5esp=0013db20ebp=00005200iopl=0nvupeiplnzacpenccs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00000216msjet40!Ordinal55+0x23cd8:1b0b72c5c1e902shrecx,20:000>ueipmsjet40!Ordinal55+0x23cd8:1b0b72c5c1e902shrecx,21b0b72c8f3a5repmovsdwordptres:[edi],dwordptr[esi]1b0b72ca8bcdmovecx,ebp1b0b72cc8b4001moveax,dwordptr[eax+1]1b0b72cf83e103andecx,31b0b72d2f3a4repmovsb
|漏洞EXP
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net


Summary:

    A remote code execute vulnerability exists in Microsoft Jet
Engine. A remote attacker who successfully exploit this vulnerability
can execute arbitrary code on the affected system.


Affected Software Versions:

    Microsoft Office Access 2003 sp3 on Windows XP SP2(chinese)
    (Other versions may also be affected)

How to Reproduce:

    Open the attached file
"Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" with Office Access
2003 sp3 on Windows XP SP2, then "calc.exe" will be executed, please
do not use the exploit for attacking.

The attached file is at:

    http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
    Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/4625.rar (11162007-Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar)

    MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6

# milw0rm.com [2007-11-16]
|参考资料

来源:US-CERT
名称:TA08-134A
链接:http://www.us-cert.gov/cas/techalerts/TA08-134A.html
来源:US-CERT
名称:VU#936529
链接:http://www.kb.cert.org/vuls/id/936529
来源:MS
名称:MS08-028
链接:http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
来源:XF
名称:microsoft-jet-engine-mdb-bo(38499)
链接:http://xforce.iss.net/xforce/xfdb/38499
来源:SECTRACK
名称:1018976
链接:http://www.securitytracker.com/id?1018976
来源:BID
名称:28398
链接:http://www.securityfocus.com/bid/28398
来源:BID
名称:26468
链接:http://www.securityfocus.com/bid/26468
来源:BUGTRAQ
名称:20080513TPTI-08-04:MicrosoftOfficeJetDatabaseEngineColumnParsingStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/492019/100/0/threaded
来源:BUGTRAQ
名称:20071118Re:[Full-disclosure]MicrosoftJetEngineMDBFileParsingStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483888/100/100/threaded
来源:BUGTRAQ
名称:20071117Re:MicrosoftJetEngineMDBFileParsingStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/48388