漏洞信息详情
Microsoft Jet MDB文件解析远程栈溢出漏洞
- CNNVD编号:CNNVD-200711-276
- 危害等级: 超危
- CVE编号: CVE-2007-6026
- 漏洞类型: 缓冲区溢出
- 发布时间: 2007-11-19
- 威胁类型: 远程
- 更新时间: 2009-04-01
- 厂 商: microsoft
- 漏洞来源: cocoruder frankrud...
漏洞简介
Microsoft Jet数据库是MS Office应用程序中广泛使用的轻型数据库。
Jet数据库在处理畸形MDB文件时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户处理恶意文件,控制服务器。
Office Access在解析MDB文件时会调用Jet数据库引擎(msjet40.dll),如果解析了恶意的MDB文件就会在以下代码中触发栈溢出:
C:\Windows\System32\msjet40.dll,版本为4.0.8618.0
.text:1B0B72BB mov ecx, edx ; ecx=0x5200
.text:1B0B72BD mov esi, edi ; esi point
to the datas
.text:1B0B72BF mov ebp, ecx ; which
can be find in the mdb file
.text:1B0B72C1 lea edi, [esp+40h] ; edi point
to stack memory
.text:1B0B72C5 shr ecx, 2
.text:1B0B72C8 rep movsd ; stack overflow!!
.text:1B0B72CA mov ecx, ebp
.text:1B0B72CC mov eax, [eax+1]
.text:1B0B72CF and ecx, 3
.text:1B0B72D2 rep movsb
以下为调试信息:
eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12
edi=0013db60
eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl
nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000216
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
0:000> u eip
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1b0b72ca 8bcd mov ecx,ebp
1b0b72cc 8b4001 mov eax,dword ptr [eax+1]
1b0b72cf 83e103 and ecx,3
1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h]
1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h]
0:000> db esi
05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\.V.B.A
05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\.V.B.A.6.\.V.B
05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6...D.L.L.#.V
05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a
05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r.
05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t
05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s........
05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 .......*.\.G.{.4
0:000> db edi
0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b .............Q..
0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 ................
0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 \"|..............
0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <............x..
0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b .......|8x......
0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b ................
0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x......L...L...
0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 ....`...........
请注意由于这是Jet引擎中的漏洞,因此一些网络空间供应商也可能受影响。攻击者可以上传.asp和.mdb文件,并通过ADODB.Connection服务器对象利用这个漏洞。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx?pf=true
参考网址
来源: US-CERT
名称: TA08-134A
链接:http://www.us-cert.gov/cas/techalerts/TA08-134A.HTML
来源: US-CERT
名称: VU#936529
链接:http://www.kb.cert.org/vuls/id/936529
来源: MS
名称: MS08-028
链接:http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
来源: XF
名称: microsoft-jet-engine-mdb-bo(38499)
链接:http://xforce.iss.net/xforce/xfdb/38499
来源: SECTRACK
名称: 1018976
链接:http://www.securitytracker.com/id?1018976
来源: BID
名称: 28398
链接:http://www.securityfocus.com/bid/28398
来源: BID
名称: 26468
链接:http://www.securityfocus.com/bid/26468
来源: BUGTRAQ
名称: 20080513 TPTI-08-04: Microsoft Office Jet Database Engine Column Parsing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/492019/100/0/threaded
来源: BUGTRAQ
名称: 20071118 Re: [Full-disclosure] Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483888/100/100/threaded
来源: BUGTRAQ
名称: 20071117 Re: Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483887/100/100/threaded
来源: BUGTRAQ
名称: 20071116 Re: Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483858/100/100/threaded
来源: BUGTRAQ
名称: 20071116 Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/483797/100/0/threaded
来源: SREASON
名称: 3376
链接:http://securityreason.com/securityalert/3376
来源: MISC
链接:http://ruder.cdut.net/blogview.asp?logID=227
来源: OVAL
名称: oval:org.mitre.oval:def:5578
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5578
来源: HP
名称: SSRT080071
链接:http://marc.info/?l=bugtraq&m=121129490723574&w=2
来源: FULLDISC
名称: 20071116 Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-November/058531.HTML
来源: MISC
链接:http://dvlabs.tippingpoint.com/advisory/TPTI-08-04
受影响实体
- Microsoft Windows_xp:Sp2
- Microsoft Windows_nt:4.0
- Microsoft Windows_2003_server
- Microsoft Windows_2000
- Microsoft Office:2003:Sp3
补丁
暂无
评论