[转载]微软OE NNTP LIST缓冲区溢出漏洞及分析(MS05-030)
信息来源:[url]www.securiteam.com[/url]Summary
Microsoft Outlook Express is an email and news client bundled with operating systems and the Internet Explorer web browser by Microsoft.
The NNTP news reader embedded in Outlook Express is vulnerable to buffer overflow, exploiting this vulnerability allows remote attacker to execute malicious code with the rights of Outlook's user.
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: [url]http://www.idefense.com/application/poi/display?id=263&type=vulnerabilities[/url]
Details
Vulnerable Systems:
* Microsoft Outlook Express shipped with Microsoft Windows 2000 SP4 (MSOE.DLL version 5.50.4927.1200)
Remote exploitation of a buffer overflow vulnerability in the news reader functionality of Microsoft's Outlook Express allows attackers to execute arbitrary code under the current users privileges.
The vulnerability specifically exists when parsing Network News Transfer Protocol (NNTP, RFC 977) server responses after issuing a "LIST" command. A stack-based buffer overflow occurs within a routine in MSOE.dll, found in "C:\Program Files\Outlook Express\MSOE.DLL." The addresses and offsets that follow are based on MSOE.DLL version 5.50.4927.1200 as shipped with Microsoft Windows 2000 SP4. When parsing a server response of the following form:
When parsing a server response of the following form:
alt.12hr 0<LONG STRING>000001325 0000001322 y\r\n
FIELD1 FIELD2 FIELD3 FIELD4 TERMINATOR
Various string parsing loops are used that call the CharNext() and IsSpace() routines to determine the length of the whitespace delimited fields. An assembly equivalent StrCpy() is used to copy FIELD2 into a static (16 byte) stack-based buffer here:
SUB_6AED247A()
...
6AED268B mov eax, ebx ; eax = start of FIELD2
6AED268D lea edi, [ebp+buff] ; edi = stack variable
6AED2690 sub eax, esi ; esi = end of FIELD2
6AED2692 mov ecx, eax ; ecx = length of FIELD2
6AED2694 mov edx, ecx ; edx = length of FIELD2
6AED2696 shr ecx, 2
6AED2699 rep movsd ; *** overflow occurs here
6AED269B mov ecx, edx
6AED269D and ecx, 3
6AED26A0 rep movsb ; copy remaining bytes
6AED26A2 and byte ptr [ebp+eax+buff], 0 ; null terminate the string
The copied buffer is later passed to the routine StrToIntA(). The "rep movsd" instruction located at 0x6AED2699 causes a stack-based buffer overflow to occur with user-supplied data. An attacker can overwrite a stack-stored Structured Exception Handler (SEH) to alter instruction flow and eventually execute arbitrary code.
Outlook Express as shipped with Windows XP SP2 is not affected. The following excerpt from MSOE.DLL version 6.0.2900.2180 shows that a check has been added that limits the length of FIELD2 to 14 bytes:
SUB_60354869()
...
60354A7B mov edi, ebx ; edi = current location
60354A7D sub edi, [ebp+var_11C] ; edi = length of field2
60354A83 cmp edi, 14 ; if length of field2 > 14
60354A86 jbe short loc_60354A8D
60354A88 push 14
60354A8A pop edi ; length of field2 = 14
Furthermore, a StrCpy() or equivalent instruction sequence is not used to generate a new buffer to pass to the StrToIntA() routine. Instead FIELD2 is null terminated in memory and a pointer to the start of FIELD2 is passed to StrToIntA().
Exploitation of the described vulnerability allows remote attackers to execute arbitrary code under the privileges of the currently logged on user. An attacker must create a malicious server and either force or convince a target user to connect to it with Outlook Express. On at least Windows 2000 and Windows XP systems the default handler for the "news://" URI is Outlook Express. An attacker can force a target user to connect to a malicious server through a link such as:
[url]news://attack.server.ip[/url]
The impact of this vulnerability is mitigated by the fact that when the target user connects to the malicious server he or she will be presented with a yes/no dialog box containing the following text:
"You are not subscribed to any newsgroups in this account.
Would you like to view a list of available newsgroups now?"
The user must select "yes" for exploitation to occur.
Workaround:
Disable Outlook Express as the default "news://" URI handler and connect to untrusted news sources with an unaffected news reader. The URI handler can be removed by deleting the following registry key:
HKEY_CLASSES_ROOT\news\shell\open\command
Alternatively, Windows XP users can install service pack 2.
Disclosure Timeline:
* 11.16.04 - Initial vendor notification
* 11.18.04 - Initial vendor response
* 06.14.04 - Coordinated public disclosure
Vendor Status:
The vendor security advisory and appropriate patches are available at:
[url]http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx[/url]
CVE Information:
CAN-2005-1213
All SectionsSecurity NewsUnix focusExploitsToolsWindows focusSecurity Reviews
Related Articles
Vulnerability in Step-by-Step Interactive Training Allows Remote Code Execution (MS05-031)
Microsoft Outlook Express NNTP "LIST" Buffer Overflow (MS05-030)
Microsoft Windows Interactive Training Buffer Overflow (MS05-031)
Microsoft Telnet Client Allows Information Disclosure (MS05-033)
Vulnerability in Microsoft Agent Allows Spoofing (MS05-032)
Microsoft Outlook Web Access Cross-Site Scripting (Technical Details, MS05-029)
Cumulative Security Update for ISA Server 2000 (MS05-034)
Cumulative Security Update for Internet Explorer (MS05-025)
Cumulative Security Update of Outlook Express (MS05-030)
Vulnerability in HTML Help Allows Remote Code Execution (MS05-026)
Vulnerability in Server Message Block Allows Remote Code Execution (MS05-027)
Vulnerability in Web Client Service Allows Remote Code Execution (MS05-028)
Vulnerability in Outlook Web Access for Exchange Server 5.5 Allows XSS (MS05-029)
Novell eDirectory DOS Device Name DoS
Deep Freeze Unfreezer - Bypassing Deep Freeze Authentication
Featured Articles
Multiple Telnet Client Information Disclosure Vulnerabilities (MS05-033)
Vulnerability in HTML Help Allows Remote Code Execution (MS05-026)
Vulnerability in Server Message Block Allows Remote Code Execution (MS05-027)
Mac OS X launchd Race Condition Vulnerability
Meanwhile - On the Other Side of the Web Server
WebSphere Application Server Administrative Console Buffer Overflow
Internet Explorer and Opera JavaScript Ghost Vulnerability
页:
[1]