受影响系统:
Microsoft Office XP SP3
Microsoft Office 2004 for Mac
描述:
BUGTRAQ ID: 38073
CVE ID: CVE-2010-0243
Microsoft Office是非常流行的办公软件套件。
Microsoft Office的MSO.DLL库处理特制Office文件的方式中存在缓冲区溢出漏洞,成功利用此漏洞的攻击者可以完全控制受影响的系统。
漏洞的起因是MSO.DLL库中负责解析OfficeArtSpgr(recType 0xF003)容器的代码没有执行检查确保在从文件加载SPGR之前存在有效的组。以下是有漏洞代码段的反汇编:
/—–
30BDE405 CMP ECX,0F003
30BDE40B JB mso.30EFD183
30BDE411 CMP ECX,0F004
30BDE417 JA mso.30BDE4C8
30BDE41D XOR ESI,ESI
30BDE41F LEA EAX,DWORD PTR SS:[EBP-8]
30BDE422 PUSH ESI
30BDE423 PUSH EAX
30BDE424 PUSH EDI
30BDE425 MOV ECX,EBX
30BDE427 CALL mso.30BDEC18
30BDE42C TEST EAX,EAX
30BDE42E JE mso.30EFD21A
30BDE434 MOV EDX,DWORD PTR SS:[EBP-8]
30BDE437 MOV EAX,DWORD PTR DS:[EDX+50]
30BDE43A TEST AL,10
30BDE43C JE mso.30BDE356
30BDE442 TEST AL,4
30BDE444 JE mso.30EFD21A
30BDE44A CMP WORD PTR DS:[EDX+24],SI
30BDE44E JNZ mso.30EFD21A
30BDE454 PUSH 23
30BDE456 LEA EDI,DWORD PTR DS:[EBX+90]
30BDE45C POP ECX
30BDE45D MOV ESI,EDX
30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0]
30BDE465 ADD EDX,58
30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
30BDE46A CMP DWORD PTR DS:[EAX],EDX
30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX
30BDE472 JE mso.30EFD12E
30BDE478 MOV ECX,DWORD PTR DS:[EAX]
30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write*
registers
eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4
edi=017f06b8
eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
– —–/
<*来源:Damian Frizza
链接:http://secunia.com/advisories/38481/
http://marc.info/?l=bugtraq&m=126574746103677&w=2
http://www.microsoft.com/technet/security/Bulletin/MS10-003.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA10-040A.html
*>
建议:
临时解决方法:
* 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。
厂商补丁:
Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-003)以及相应补丁:
MS10-003:Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214)
链接:http://www.microsoft.com/technet/security/Bulletin/MS10-003.mspx?pf=true
补丁下载:
http://www.microsoft.com/downloads/details.aspx?familyid=47553f45-fa10-40e5-8267-9d42ff560a62
http://www.microsoft.com/downloads/details.aspx?FamilyID=7c985595-00c5-44b8-81c3-59d9967220f8
0 条评论。